From fe5d59f8e3169944e57eb1c60155c9ebd4912d48 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 14 Feb 2021 20:42:37 +0100 Subject: [PATCH 1/2] CVE-2021-20247: reject funny mailbox names from IMAP LIST/LSUB in particular, '..' in the name could be used to escape the Path/Inbox of a Maildir Store, which could be exploited for stealing or deleting data, or staging a (mild) DoS attack. --- src/drv_imap.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/src/drv_imap.c b/src/drv_imap.c index 810479e..fbe2fed 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -1258,11 +1258,12 @@ static int parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) { string_list_t *narg; - char *arg; + char *arg, c; int argl, l; if (!is_atom( list )) { error( "IMAP error: malformed LIST response\n" ); + listbad: free_list( list ); return LIST_BAD; } @@ -1302,6 +1303,34 @@ parse_list_rsp_p2( imap_store_t *ctx, list_t *list, char *cmd ATTR_UNUSED ) warn( "IMAP warning: ignoring mailbox %s (reserved character '/' in name)\n", arg ); goto skip; } + // Validate the normalized name. Technically speaking, we could tolerate + // '//' and '/./', and '/../' being forbidden is a limitation of the Maildir + // driver, but there isn't really a legitimate reason for these being present. + for (const char *p = narg->string, *sp = p;;) { + if (!(c = *p) || c == '/') { + uint pcl = (uint)(p - sp); + if (!pcl) { + error( "IMAP warning: ignoring mailbox '%s' due to empty name component\n", narg->string ); + free( narg ); + goto skip; + } + if (pcl == 1 && sp[0] == '.') { + error( "IMAP warning: ignoring mailbox '%s' due to '.' component\n", narg->string ); + free( narg ); + goto skip; + } + if (pcl == 2 && sp[0] == '.' && sp[1] == '.') { + error( "IMAP error: LIST'd mailbox name '%s' contains '..' component - THIS MIGHT BE AN ATTEMPT TO HACK YOU!\n", narg->string ); + free( narg ); + goto listbad; + } + if (!c) + break; + sp = ++p; + } else { + ++p; + } + } narg->next = ctx->boxes; ctx->boxes = narg; skip: From d55ced04eda7c0632c36d3531406144bdc059a53 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Sun, 21 Feb 2021 21:24:48 +0100 Subject: [PATCH 2/2] bump version --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 9b603af..cca74d4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([isync], [1.3.4]) +AC_INIT([isync], [1.3.5]) AC_CONFIG_HEADERS([autodefs.h]) AM_INIT_AUTOMAKE