diff -Nru amavisd-new-2.13.0/debian/changelog amavisd-new-2.13.0/debian/changelog --- amavisd-new-2.13.0/debian/changelog 2023-07-17 21:17:01.000000000 +0000 +++ amavisd-new-2.13.0/debian/changelog 2024-04-12 15:03:05.000000000 +0000 @@ -1,3 +1,19 @@ +amavisd-new (1:2.13.0-3ubuntu1.1) mantic-security; urgency=medium + + * SECURITY UPDATE: incorrect check via multiple boundary parameters + - debian/patches/CVE-2024-28054-1.patch: add CC_UNCHECKED,3 content + category in conf/amavisd.conf, lib/Amavis.pm, lib/Amavis/Conf.pm, + lib/Amavis/Unpackers.pm, lib/Amavis/Unpackers/MIME.pm, + lib/Amavis/Unpackers/Part.pm, t/Amavis/Unpackers/MIMETest.pm. + - debian/patches/CVE-2024-28054-2.patch: use + MIME::Entity->ambiguous_content if available in .gitlab-ci.yml, + lib/Amavis/Unpackers/MIME.pm. + - debian/patches/CVE-2024-28054-3.patch: describe CVE-2024-28054 in + README_FILES/README.CVE-2024-28054. + - CVE-2024-28054 + + -- Marc Deslauriers Fri, 12 Apr 2024 11:03:05 -0400 + amavisd-new (1:2.13.0-3ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2018057). Remaining changes: diff -Nru amavisd-new-2.13.0/debian/patches/CVE-2024-28054-1.patch amavisd-new-2.13.0/debian/patches/CVE-2024-28054-1.patch --- amavisd-new-2.13.0/debian/patches/CVE-2024-28054-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ amavisd-new-2.13.0/debian/patches/CVE-2024-28054-1.patch 2024-04-12 15:02:10.000000000 +0000 @@ -0,0 +1,233 @@ +From 78c4b7076ebf1d711629a95860aae1bc0db5277a Mon Sep 17 00:00:00 2001 +From: Damian Lukowski +Date: Wed, 18 Oct 2023 13:28:44 +0200 +Subject: [PATCH] Add CC_UNCHECKED,3 content category + +--- + RELEASE_NOTES | 6 +++++ + conf/amavisd.conf | 1 + + lib/Amavis.pm | 8 +++--- + lib/Amavis/Conf.pm | 2 ++ + lib/Amavis/Unpackers.pm | 5 ++-- + lib/Amavis/Unpackers/MIME.pm | 15 ++++++++++++ + lib/Amavis/Unpackers/Part.pm | 3 ++- + t/Amavis/Unpackers/MIMETest.pm | 45 +++++++++++++++++++++++++++++++++- + 8 files changed, 78 insertions(+), 7 deletions(-) + +#diff --git a/RELEASE_NOTES b/RELEASE_NOTES +#index 621d4d1..75b88be 100644 +#--- a/RELEASE_NOTES +#+++ b/RELEASE_NOTES +#@@ -4,6 +4,12 @@ amavis-2.13.1 release notes +# +# NEW FEATURES +# +#+- Add CC_UNCHECKED minor content category for ambiguous multipart +#+ boundaries. Users are encouraged to defang or quarantine such emails. +#+ Thanks to Jiahe Zhang and Jianjun Chen from Tsinghua University and +#+ Zhongguancun Lab for reporting the issue confidentially. +#+ Issue: https://gitlab.com/amavis/amavis/issues/112 +#+ +# BUG FIXES +# +# - Resolve double reporting of Amavis::Conf module version. +diff --git a/conf/amavisd.conf b/conf/amavisd.conf +index f9de495..0a63cd9 100644 +--- a/conf/amavisd.conf ++++ b/conf/amavisd.conf +@@ -148,6 +148,7 @@ $defang_banned = 1; # MIME-wrap passed mail containing banned name + $defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header + $defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters + $defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error ++$defang_by_ccat{CC_UNCHECKED.",3"} = 1; # ambiguous content (e.g. multipart boundary) + + # TLS verification example + # $tls_security_level_out = 'may'; +diff --git a/lib/Amavis.pm b/lib/Amavis.pm +index daafb01..f568cd0 100644 +--- a/lib/Amavis.pm ++++ b/lib/Amavis.pm +@@ -2483,16 +2483,18 @@ sub check_mail($$) { + + $which_section = "parts_decode_ext"; + snmp_count('OpsDec'); +- my($any_encrypted,$over_levels); +- ($hold, $any_undecipherable, $any_encrypted, $over_levels) = ++ my($any_encrypted,$over_levels,$ambiguous); ++ ($hold, $any_undecipherable, $any_encrypted, $over_levels, $ambiguous) = + Amavis::Unpackers::decompose_mail($msginfo->mail_tempdir, + $file_generator_object); +- $any_undecipherable ||= ($any_encrypted || $over_levels); ++ $any_undecipherable ||= ($any_encrypted || $over_levels || $ambiguous); + if ($any_undecipherable) { + $msginfo->add_contents_category(CC_UNCHECKED,0); + $msginfo->add_contents_category(CC_UNCHECKED,1) if $any_encrypted; + $msginfo->add_contents_category(CC_UNCHECKED,2) if $over_levels; ++ $msginfo->add_contents_category(CC_UNCHECKED,3) if $ambiguous; + for my $r (@{$msginfo->per_recip_data}) { ++ $r->add_contents_category(CC_UNCHECKED,3) if $ambiguous; + next if $r->bypass_virus_checks; + $r->add_contents_category(CC_UNCHECKED,0); + $r->add_contents_category(CC_UNCHECKED,1) if $any_encrypted; +diff --git a/lib/Amavis/Conf.pm b/lib/Amavis/Conf.pm +index bd00485..9f117d8 100644 +--- a/lib/Amavis/Conf.pm ++++ b/lib/Amavis/Conf.pm +@@ -1134,6 +1134,7 @@ BEGIN { + CC_UNCHECKED, 'Unchecked', + CC_UNCHECKED.',1', 'UncheckedEncrypted', + CC_UNCHECKED.',2', 'UncheckedOverLimits', ++ CC_UNCHECKED.',3', 'UncheckedAmbiguousContent', + CC_BANNED, 'Banned', + CC_VIRUS, 'Virus', + ); +@@ -1608,6 +1609,7 @@ BEGIN { + CC_BANNED, 'id=%n - BANNED: %F', + CC_UNCHECKED.',1', 'id=%n - UNCHECKED: encrypted', + CC_UNCHECKED.',2', 'id=%n - UNCHECKED: over limits', ++ CC_UNCHECKED.',3', 'id=%n - UNCHECKED: ambiguous content', + CC_UNCHECKED, 'id=%n - UNCHECKED', + CC_SPAM, 'id=%n - spam', + CC_SPAMMY.',1', 'id=%n - spammy (tag3)', +diff --git a/lib/Amavis/Unpackers.pm b/lib/Amavis/Unpackers.pm +index 8d6684b..f36edb5 100644 +--- a/lib/Amavis/Unpackers.pm ++++ b/lib/Amavis/Unpackers.pm +@@ -280,7 +280,7 @@ sub decompose_mail($$) { + my($tempdir,$file_generator_object) = @_; + + my $hold; my(@parts); my $depth = 1; +- my($any_undecipherable, $any_encrypted, $over_levels) = (0,0,0); ++ my($any_undecipherable, $any_encrypted, $over_levels, $ambiguous) = (0,0,0,0); + my $which_section = "parts_decode"; + # fetch all not-yet-visited part names, and start a new cycle + TIER: +@@ -342,13 +342,14 @@ TIER: + if (defined $attr) { + $any_undecipherable++ if index($attr, 'U') >= 0; + $any_encrypted++ if index($attr, 'C') >= 0; ++ $ambiguous++ if index($attr, 'B') >= 0; + } + } + last TIER if defined $hold; + $depth++; + } + section_time($which_section); prolong_timer($which_section); +- ($hold, $any_undecipherable, $any_encrypted, $over_levels); ++ ($hold, $any_undecipherable, $any_encrypted, $over_levels, $ambiguous); + } + + # Decompose one part +diff --git a/lib/Amavis/Unpackers/MIME.pm b/lib/Amavis/Unpackers/MIME.pm +index 181421f..2d6011b 100644 +--- a/lib/Amavis/Unpackers/MIME.pm ++++ b/lib/Amavis/Unpackers/MIME.pm +@@ -59,6 +59,20 @@ sub mime_decode_pre_epi($$$$$) { + } + } + ++sub ambiguous_content { ++ my $entity = shift; ++ return unless $entity->is_multipart; ++ my $content_type = $entity->head->get('Content-Type'); ++ if ($content_type && $content_type =~ m{^multipart/\w+(.+)}x) { ++ my ($params, $num) = ($1, 0); ++ while ($params =~ m{\G ; \s+ (?\w+) = (?: \w+ | "(?:\\.|[^"\\])*" )}gx) { ++ $num++ if lc($+{param}) eq 'boundary'; ++ } ++ return $num > 1; ++ } ++ return; ++} ++ + # traverse MIME::Entity object depth-first, + # extracting preambles and epilogues as extra (pseudo)parts, and + # filling-in additional information into Amavis::Unpackers::Part objects +@@ -73,6 +87,7 @@ sub mime_traverse($$$$$) { + if (!defined($body)) { # a MIME container only contains parts, no bodypart + # create pseudo-part objects for MIME containers (e.g. multipart/* ) + $part = Amavis::Unpackers::Part->new(undef,$parent_obj,1); ++ $part->attributes_add('B') if ambiguous_content($entity); + # $part->type_short('no-file'); + do_log(2, "%s %s Content-Type: %s", $part->base_name, $placement, $mt); + +diff --git a/lib/Amavis/Unpackers/Part.pm b/lib/Amavis/Unpackers/Part.pm +index 0cb188e..83c1450 100644 +--- a/lib/Amavis/Unpackers/Part.pm ++++ b/lib/Amavis/Unpackers/Part.pm +@@ -65,7 +65,8 @@ sub exists + sub attributes # a string of characters representing attributes + { @_<2 ? shift->{attr} : ($_[0]->{attr} = $_[1]) }; + +-sub attributes_add { # U=undecodable, C=crypted, D=directory,S=special,L=link ++sub attributes_add { # U=undecodable, C=crypted, B=ambiguous-content, ++ # D=directory, S=special, L=link + my $self = shift; my $a = $self->{attr}; $a = '' if !defined $a; + for my $arg (@_) { $a .= $arg if $arg ne '' && index($a,$arg) < 0 } + $self->{attr} = $a; +diff --git a/t/Amavis/Unpackers/MIMETest.pm b/t/Amavis/Unpackers/MIMETest.pm +index 082bed0..03d58fd 100644 +--- a/t/Amavis/Unpackers/MIMETest.pm ++++ b/t/Amavis/Unpackers/MIMETest.pm +@@ -2,6 +2,9 @@ + + package Amavis::Unpackers::MIMETest; + ++use IO::Scalar; ++use MIME::Entity; ++use MIME::Parser; + use Test::Most; + use base 'Test::Class'; + +@@ -12,7 +15,47 @@ sub startup : Tests(startup => 1) { + use_ok $test->class; + } + +-sub empty : Tests(0) { ++sub ambiguous : Tests(3) { ++ my $check = \&{'Amavis::Unpackers::MIME::ambiguous_content'}; ++ ++ my $entity = MIME::Entity->build( ++ Type => 'multipart/mixed', ++ From => 'sender@example.com', ++ To => 'recip@example.com', ++ Subject => 'Hello world', ++ ); ++ ++ $entity->attach(Data => 'E=mc²'); ++ $entity->attach(Data => 'a²+b²=c²'); ++ $entity->attach(Data => 'E=ma²+mb²'); ++ ++ ok(!$check->($entity), 'normal MIME entity is not ambiguous'); ++ ++ my $DATA = join '', ; ++ ++ $entity = MIME::Parser->new->parse(IO::Scalar->new(\$DATA)); ++ ok($check->($entity), 'constructed MIME entity is ambiguous'); ++ ++ $entity = MIME::Parser->new->parse_data($DATA); ++ ok($check->($entity), 'constructed MIME entity is ambiguous'); + } + + 1; ++ ++__DATA__ ++MIME-Version: 1.0 ++Subject: multiple_boundary ++Content-Type: multipart/mixed; boundary=bar; one=two; boundary=foo ++ ++--foo ++Content-type: text/plain ++ ++Email with an attachment. ++--bar ++Content-type: application/octet-stream; name=name ++Content-Disposition: attachment; filename=name ++Content-Transfer-Encoding: 7bit ++ ++This is sparta ++--bar-- ++--foo-- +-- +GitLab + diff -Nru amavisd-new-2.13.0/debian/patches/CVE-2024-28054-2.patch amavisd-new-2.13.0/debian/patches/CVE-2024-28054-2.patch --- amavisd-new-2.13.0/debian/patches/CVE-2024-28054-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ amavisd-new-2.13.0/debian/patches/CVE-2024-28054-2.patch 2024-04-12 15:02:21.000000000 +0000 @@ -0,0 +1,51 @@ +From d921bc5208ce5b4e8f3e387a1d4e1f8fa4e85008 Mon Sep 17 00:00:00 2001 +From: Damian Lukowski +Date: Tue, 6 Feb 2024 15:11:09 +0100 +Subject: [PATCH] Use MIME::Entity->ambiguous_content if available + +--- + .gitlab-ci.yml | 1 + + lib/Amavis/Unpackers/MIME.pm | 20 ++++++++++++-------- + 2 files changed, 13 insertions(+), 8 deletions(-) + +--- a/.gitlab-ci.yml ++++ b/.gitlab-ci.yml +@@ -59,6 +59,7 @@ test: + libidn2-dev + libnet-libidn-perl- + - cpanm Net::LibIDN2 ++ - cpanm MIME::Tools~">= 5.514" + - dzil test + needs: [] + rules: +--- a/lib/Amavis/Unpackers/MIME.pm ++++ b/lib/Amavis/Unpackers/MIME.pm +@@ -61,16 +61,20 @@ sub mime_decode_pre_epi($$$$$) { + + sub ambiguous_content { + my $entity = shift; +- return unless $entity->is_multipart; +- my $content_type = $entity->head->get('Content-Type'); +- if ($content_type && $content_type =~ m{^multipart/\w+(.+)}x) { +- my ($params, $num) = ($1, 0); +- while ($params =~ m{\G ; \s+ (?\w+) = (?: \w+ | "(?:\\.|[^"\\])*" )}gx) { +- $num++ if lc($+{param}) eq 'boundary'; ++ if ($entity->can('ambiguous_content')) { ++ return $entity->ambiguous_content; ++ } else { ++ return unless $entity->is_multipart; ++ my $content_type = $entity->head->get('Content-Type'); ++ if ($content_type && $content_type =~ m{^multipart/\w+(.+)}x) { ++ my ($params, $num) = ($1, 0); ++ while ($params =~ m{\G ; \s+ (?\w+) = (?: \w+ | "(?:\\.|[^"\\])*" )}gx) { ++ $num++ if lc($+{param}) eq 'boundary'; ++ } ++ return $num > 1; + } +- return $num > 1; ++ return; + } +- return; + } + + # traverse MIME::Entity object depth-first, diff -Nru amavisd-new-2.13.0/debian/patches/CVE-2024-28054-3.patch amavisd-new-2.13.0/debian/patches/CVE-2024-28054-3.patch --- amavisd-new-2.13.0/debian/patches/CVE-2024-28054-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ amavisd-new-2.13.0/debian/patches/CVE-2024-28054-3.patch 2024-04-12 15:02:23.000000000 +0000 @@ -0,0 +1,73 @@ +From c6c4a4c27c60194b68b617b7d3cfb033d6c587e2 Mon Sep 17 00:00:00 2001 +From: Damian Lukowski +Date: Fri, 1 Mar 2024 14:19:46 +0100 +Subject: [PATCH] Describe CVE-2024-28054 + +--- + README_FILES/README.CVE-2024-28054 | 54 ++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + create mode 100644 README_FILES/README.CVE-2024-28054 + +diff --git a/README_FILES/README.CVE-2024-28054 b/README_FILES/README.CVE-2024-28054 +new file mode 100644 +index 0000000..757c5c1 +--- /dev/null ++++ b/README_FILES/README.CVE-2024-28054 +@@ -0,0 +1,54 @@ ++# Problem description ++ ++Emails which consist of multiple parts (`Content-Type: multipart/*`) ++incorporate boundary information stating at which point one part ends and the ++next part begins. ++ ++A boundary is announced by an Content-Type header's `boundary` parameter. To ++our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a ++parser should handle multiple boundary parameters that contain conflicting ++values. As a result, there is no canonical choice which of the values should or ++should not be used for mime part decomposition. ++ ++It turns out that MIME::Parser from MIME-tools chooses the last `boundary` ++parameter of a Content-Type-header, while several mail user agents choose the ++first occuring one. As a consequence, Amavis will apply some of its routines to ++content that a receiving MUA will not see, and vice-versa will not apply them ++to content that the receiving MUA will see. Such routines are at least ++- the banned-files check, and ++- the virus check, unless ++ - Amavis feeds the whole email into the virus scanner, and ++ - the virus scanner implements its own email parsing that aligns with the ++ receiving MUA's parser implementation. ++ ++MIME::Parser does not provide a choice which of multiple `boundary` parameters ++shall be used for parsing, but it will give feedback in such a case [1], which ++Amavis can react to. ++Emails with ambiguous content, like multiple `boundary` parameters as described ++above, will be categorized as `CC_UNCHECKED,3`, since Amavis has no information ++about the recipient's MUA's parser implementation. ++ ++# Recommendation ++ ++Legitimate emails are not expected to have ambiguous content, so an Amavis setup ++should treat them harshly. The new default configuration for `CC_UNCHECKED,3` is ++defanging: ++ ++``` ++$defang_by_ccat{CC_UNCHECKED.",3"} = 1; # ambiguous content (e.g. multipart boundary) ++``` ++ ++Another possibility would be quarantining, e.g. via ++ ++``` ++$quarantine_to_maps_by_ccat{CC_UNCHECKED.",3"} = [1]; ++$quarantine_method_by_ccat{CC_UNCHECKED.",3"} = 'local:unchecked-ambiguous-%m'; ++``` ++ ++and/or discarding/rejecting the email: ++ ++``` ++$final_destiny_maps_by_ccat{CC_UNCHECKED.",3"} = D_REJECT; # or D_DISCARD ++``` ++ ++[1] https://metacpan.org/release/DSKOLL/MIME-tools-5.514/changes +-- +GitLab + diff -Nru amavisd-new-2.13.0/debian/patches/series amavisd-new-2.13.0/debian/patches/series --- amavisd-new-2.13.0/debian/patches/series 2023-07-17 21:17:01.000000000 +0000 +++ amavisd-new-2.13.0/debian/patches/series 2024-04-12 15:02:23.000000000 +0000 @@ -7,3 +7,6 @@ 85-clarify_fqdn_error.patch 90_fix_snmp_subagent_warning 95_amavisd_helpers_fixes +CVE-2024-28054-1.patch +CVE-2024-28054-2.patch +CVE-2024-28054-3.patch