[Pkg-sogo-maintainers] Bug#1109735: unblock: sope/5.12.1-2
Jordi Mallach
jordi at debian.org
Tue Jul 22 21:54:37 BST 2025
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: sope at packages.debian.org
Control: affects -1 + src:sope
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package sope
[ Reason ]
This upload includes the proposed patch for CVE-2025-53603,
plus cherry-picks two of the three commits that were included
in the upstream 5.12.2 release, and that fix issues reported
by 5.12.x users.
[ Impact ]
An easy-to-trigger DoS condition won't be patched, and
some non-compliant SMTP implementations won't be able to
speak to SOGo. Additionally, a one-liner auth optimization
for OpenID users won't be present.
[ Tests ]
None, just manual testing.
[ Risks ]
The CVE fix has not been accepted by upstream yet, so I don't
know if they will accept it as is or they will pick another
solution.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock sope/5.12.1-2
-------------- next part --------------
diff -Nru sope-5.12.1/debian/changelog sope-5.12.1/debian/changelog
--- sope-5.12.1/debian/changelog 2025-05-04 23:13:11.000000000 +0200
+++ sope-5.12.1/debian/changelog 2025-07-22 22:34:25.000000000 +0200
@@ -1,3 +1,13 @@
+sope (5.12.1-2) unstable; urgency=medium
+
+ * [CVE-2025-53603] Add proposed patch to fix DoS-enabling segfault
+ (closes: #1108798).
+ * Cherry-pick two additional fixes from the 5.12.2 release.
+ - allow SMTP replies that don't adhere to the SMTP spec
+ - don't check for the auth bearer token
+
+ -- Jordi Mallach <jordi at debian.org> Tue, 22 Jul 2025 22:34:25 +0200
+
sope (5.12.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru sope-5.12.1/debian/patches/git_CVE-2025-53603.patch sope-5.12.1/debian/patches/git_CVE-2025-53603.patch
--- sope-5.12.1/debian/patches/git_CVE-2025-53603.patch 1970-01-01 01:00:00.000000000 +0100
+++ sope-5.12.1/debian/patches/git_CVE-2025-53603.patch 2025-07-07 15:31:00.000000000 +0200
@@ -0,0 +1,143 @@
+From 280104e45c20519ac4849ebf8bca114d91383543 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <source at stbuehler.de>
+Date: Sun, 29 Jun 2025 10:21:32 +0200
+Subject: [PATCH] NGHashMap: keep root->last consistent to fix segfault adding
+ duplicate key after copy
+
+segfault because root->last is NULL:
+ #0 -[NGMutableHashMap addObjects:count:forKey:]
+ #1 -[NGMutableHashMap addObject:forKey:]
+ #2 -[NGHttpRequest(WOSupport) _decodeFormContentURLParameters:]
+ #3 -[NGHttpRequest(WOSupport) formParameters]
+
+when POST and GET set the same parameter; trigger like this:
+
+ curl -d 'x=' 'https://.../SOGo/?x='
+---
+ sope-core/NGExtensions/NGHashMap.m | 33 ++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/sope-core/NGExtensions/NGHashMap.m b/sope-core/NGExtensions/NGHashMap.m
+index 8b05ebb..f8df722 100644
+--- a/sope-core/NGExtensions/NGHashMap.m
++++ b/sope-core/NGExtensions/NGHashMap.m
+@@ -216,6 +216,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ NSEnumerator *keys = nil;
+ id key = nil;
+ LList *list = NULL;
++ LList *root = NULL;
+ LList *newList = NULL;
+ LList *oldList = NULL;
+
+@@ -223,7 +224,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ keys = [_hashMap keyEnumerator];
+ while ((key = [keys nextObject])) {
+ list = [_hashMap __structForKey:key];
+- newList = initLListElement(list->object,NULL);
++ root = newList = initLListElement(list->object,NULL);
+ newList->count = list->count;
+ NSMapInsert(self->table,key,newList);
+ while (list->next) {
+@@ -232,6 +233,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ newList = initLListElement(list->object,NULL);
+ oldList->next = newList;
+ }
++ root->last = newList;
+ }
+ }
+ return self;
+@@ -257,6 +259,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ pred = element;
+ }
+ root->count = i;
++ root->last = pred;
+ NSMapInsert(self->table,_key, root);
+ }
+ NSAssert(self->table, @"missing table for hashmap ..");
+@@ -712,6 +715,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ {
+ id object = nil;
+ LList *root = NULL;
++ LList *insert = NULL;
+ LList *element = NULL;
+ unsigned i = 0;
+
+@@ -728,10 +732,13 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ }
+
+ root = initLListElement(_objects[0], NULL);
++ insert = root;
+ root->count = _count;
++ // set root->last to last inserted element later
+ NSMapInsert(self->table, _key, root);
+ }
+ else {
++ insert = root;
+ if (!(_index < root->count)) {
+ [NSException raise:NSRangeException
+ format:@"index %"PRIuPTR" out of range in map 0x%p length %d",
+@@ -741,30 +748,38 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+
+ root->count += _count;
+ if (_index == 0) {
++ // move current data at pos 0 to new element (prepending
++ // a new element would require replacing entry in NSMapTable)
+ element = initLListElement(_objects[0],NULL);
+ object = element->object;
+ element->next = root->next;
+ element->object = root->object;
+ root->object = object;
+ root->next = element;
++ if (root->last == root)
++ root->last = element; // inserted at pos 0 before the only item
+ }
+ else {
+ while (--_index)
+- root = root->next;
++ insert = insert->next;
++ if (root->last == insert)
++ root->last = NULL; // set to last inserted element later
+
+ element = initLListElement(_objects[0], NULL);
+- element->next = root->next;
+- root->next = element;
+- root = root->next;
++ element->next = insert->next;
++ insert->next = element;
++ insert = insert->next;
+ }
+ }
+ for (i = 1; i < _count; i++) {
+ checkForAddErrorMessage(self, _objects[i], _key);
+ element = initLListElement(_objects[i], NULL);
+- element->next = root->next;
+- root->next = element;
+- root = element;
++ element->next = insert->next;
++ insert->next = element;
++ insert = element;
+ }
++ if (root->last == NULL)
++ root->last = insert;
+ }
+
+ /* adding objects */
+@@ -864,6 +879,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ root->next = list->next;
+ root->object = list->object;
+ root->count--;
++ // cleanup root->last (could be list!) after loop below
+ if (list) free(list);
+ list = NULL;
+ }
+@@ -880,6 +896,7 @@ static inline unsigned __countObjectsForKey(NGHashMap *self, id _key) {
+ list = oldList;
+ }
+ }
++ root->last = list; // list->next is NULL, i.e. it is the last
+ root->count -= cnt;
+ }
+ }
+--
+2.50.0
+
diff -Nru sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch
--- sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch 1970-01-01 01:00:00.000000000 +0100
+++ sope-5.12.1/debian/patches/git_dont_check_bearer_token.patch 2025-07-22 22:34:25.000000000 +0200
@@ -0,0 +1,19 @@
+commit 2bec3d956c766b9cfbb37bef1f1868cea1293974
+Author: Hivert Quentin <quentin.hivert.fr at gmail.com>
+Date: Wed Jun 11 12:53:22 2025 +0200
+
+ fix(proxy): don't check bearer token auth
+
+diff --git a/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m b/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m
+index c0ee61d..a758311 100644
+--- a/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m
++++ b/sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m
+@@ -327,7 +327,7 @@ static int logCounter = 0;
+
+ auth = [[request valuesOfHeaderFieldWithName:@"authorization"]
+ nextObject];
+- if (auth) {
++ if (auth && ![[auth lowercaseString] hasPrefix: @"bearer"]) {
+ if (![auth isKindOfClass:[NGHttpCredentials class]]) {
+ auth =
+ [NGHttpCredentials credentialsWithString:[auth stringValue]];
diff -Nru sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch
--- sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch 1970-01-01 01:00:00.000000000 +0100
+++ sope-5.12.1/debian/patches/git_smtp_replies_with_3_chars.patch 2025-07-22 22:34:25.000000000 +0200
@@ -0,0 +1,30 @@
+commit 927aaeadcff6a55416e1ef29faa7bbe90d63daea
+Author: Hivert Quentin <quentin.hivert.fr at gmail.com>
+Date: Tue Jun 17 15:28:53 2025 +0200
+
+ fix(smtp): allow smtp replies with only 3 chars (being the number code) instead of 4 (code + space)
+
+diff --git a/sope-mime/NGMail/NGSmtpClient.m b/sope-mime/NGMail/NGSmtpClient.m
+index fa0cfb3..c6ec39f 100644
+--- a/sope-mime/NGMail/NGSmtpClient.m
++++ b/sope-mime/NGMail/NGSmtpClient.m
+@@ -478,6 +478,19 @@
+ NGSmtpReplyCode code = -1;
+
+ line = [self->text readLineAsString];
++ if([line length] == 3) {
++ //Invalid but can happen with some smtp server that does not follow correctly the smtp specs
++ //and only send the code number instead of the code + a space.
++ code = [[line substringToIndex:3] intValue];
++ if(code == 0)
++ {
++ NSLog(@"SMTP: reply has invalid format and is not a code of 3 chars (%@)", line);
++ return nil;
++ }
++ desc = [NSMutableString stringWithCapacity:[line length]];
++ return [NGSmtpResponse responseWithCode:code text:desc];
++ }
++
+ if ([line length] < 4) {
+ NSLog(@"SMTP: reply has invalid format (%@)", line);
+ return nil;
diff -Nru sope-5.12.1/debian/patches/series sope-5.12.1/debian/patches/series
--- sope-5.12.1/debian/patches/series 2025-03-24 14:14:00.000000000 +0100
+++ sope-5.12.1/debian/patches/series 2025-07-22 22:34:25.000000000 +0200
@@ -1,3 +1,6 @@
0001-do-not-build-json.patch
0002-Do-not-build-xmlrpc-and-stxsaxdriver.patch
0003-Unset-MAKEFLAGS-and-MFLAGS-in-configure.patch
+git_CVE-2025-53603.patch
+git_dont_check_bearer_token.patch
+git_smtp_replies_with_3_chars.patch
More information about the Pkg-sogo-maintainers
mailing list