From: "Lars Wendler" <polynomial-c@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/
Date: Mon, 27 Jul 2020 18:30:41 +0000 (UTC) [thread overview]
Message-ID: <1595874634.d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66.polynomial-c@gentoo> (raw)
commit: d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 27 18:29:18 2020 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Jul 27 18:30:34 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7fe2e20
net-libs/libetpan: Security revbump to fix CVE-2020-15953
Bug: https://bugs.gentoo.org/734130
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../files/libetpan-1.9.4-CVE-2020-15953.patch | 86 ++++++++++++++++++++++
net-libs/libetpan/libetpan-1.9.4-r1.ebuild | 78 ++++++++++++++++++++
2 files changed, 164 insertions(+)
diff --git a/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
new file mode 100644
index 00000000000..19e573569fa
--- /dev/null
+++ b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
@@ -0,0 +1,86 @@
+From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: [PATCH 1/2] Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index bb17119..4ffcf55 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
+
+ mailimap_response_free(response);
+
++ // Detect if the server send extra data after the STARTTLS response.
++ // This *may* be a "response injection attack".
++ if (session->imap_stream->read_buffer_len != 0) {
++ // Since it is also an IMAP protocol violation, exit.
++ return MAILIMAP_ERROR_STARTTLS;
++ }
++
+ switch (error_code) {
+ case MAILIMAP_RESP_COND_STATE_OK:
+ return MAILIMAP_NO_ERROR;
+--
+2.28.0
+
+
+From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: [PATCH 2/2] Detect extra data after STARTTLS responses in SMTP and
+ POP3 and exit (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535b..e2124bf 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+
+ if (r != RESPONSE_OK)
+ return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++ // Detect if the server send extra data after the STLS response.
++ // This *may* be a "response injection attack".
++ if (f->pop3_stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no error type for STARTTLS errors in POP3
++ return MAILPOP3_ERROR_SSL;
++ }
+
+ return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index b7fc459..3145cad 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
+ return MAILSMTP_ERROR_STREAM;
+ r = read_response(session);
+
++ // Detect if the server send extra data after the STARTTLS response.
++ // This *may* be a "response injection attack".
++ if (session->stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no general error type for STARTTLS errors in SMTP
++ return MAILSMTP_ERROR_SSL;
++ }
++
+ switch (r) {
+ case 220:
+ return MAILSMTP_NO_ERROR;
+--
+2.28.0
+
diff --git a/net-libs/libetpan/libetpan-1.9.4-r1.ebuild b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
new file mode 100644
index 00000000000..9c243979d6d
--- /dev/null
+++ b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit autotools
+
+DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
+HOMEPAGE="http://libetpan.sourceforge.net/"
+SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
+
+# BerkDB is only supported up to version 6.0
+DEPEND="sys-libs/zlib
+ !lmdb? ( berkdb? ( sys-libs/db:= ) )
+ lmdb? ( dev-db/lmdb )
+ ssl? (
+ gnutls? ( net-libs/gnutls:= )
+ !gnutls? (
+ !libressl? ( dev-libs/openssl:0= )
+ libressl? ( dev-libs/libressl:0= )
+ )
+ )
+ sasl? ( dev-libs/cyrus-sasl:2 )
+ liblockfile? ( net-libs/liblockfile )"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.0-nonnull.patch
+ "${FILESDIR}"/${PN}-1.9.4-berkdb_lookup.patch #519846
+ "${FILESDIR}"/${PN}-1.9.4-pkgconfig_file_no_ldflags.patch
+ "${FILESDIR}"/${P}-CVE-2020-15953.patch #734130
+)
+
+pkg_pretend() {
+ if use gnutls && ! use ssl ; then
+ ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
+ ewarn "No ssl support will be available in ${PN}."
+ fi
+
+ if use berkdb && use lmdb ; then
+ ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
+ ewarn "Using lmdb as cache DB!"
+ fi
+}
+
+src_prepare() {
+ default
+ eautoreconf
+}
+
+src_configure() {
+ # in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
+ # libtool recognises it as valid shell (bug #300211)
+ use prefix && export CONFIG_SHELL=${BASH}
+ local myeconfargs=(
+ # --enable-debug simply injects "-O2 -g" into CFLAGS
+ --disable-debug
+ $(use_enable ipv6)
+ $(use_enable liblockfile lockfile)
+ $(use_enable static-libs static)
+ $(use_with sasl)
+ $(usex lmdb '--enable-lmdb --disable-db' "$(use_enable berkdb db) --disable-lmdb")
+ $(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
+ )
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+ find "${ED}" -name "*.la" -delete || die
+ if ! use static-libs ; then
+ find "${ED}" -name "*.a" -delete || die
+ fi
+}
next reply other threads:[~2020-07-27 18:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 18:30 Lars Wendler [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-07-30 21:15 [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/ Lars Wendler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1595874634.d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66.polynomial-c@gentoo \
--to=polynomial-c@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox