public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/
@ 2020-07-27 18:30 Lars Wendler
  0 siblings, 0 replies; 2+ messages in thread
From: Lars Wendler @ 2020-07-27 18:30 UTC (permalink / raw
  To: gentoo-commits

commit:     d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 27 18:29:18 2020 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Jul 27 18:30:34 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7fe2e20

net-libs/libetpan: Security revbump to fix CVE-2020-15953

Bug: https://bugs.gentoo.org/734130
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 .../files/libetpan-1.9.4-CVE-2020-15953.patch      | 86 ++++++++++++++++++++++
 net-libs/libetpan/libetpan-1.9.4-r1.ebuild         | 78 ++++++++++++++++++++
 2 files changed, 164 insertions(+)

diff --git a/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
new file mode 100644
index 00000000000..19e573569fa
--- /dev/null
+++ b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
@@ -0,0 +1,86 @@
+From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: [PATCH 1/2] Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index bb17119..4ffcf55 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
+ 
+   mailimap_response_free(response);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->imap_stream->read_buffer_len != 0) {
++      // Since it is also an IMAP protocol violation, exit.
++      return MAILIMAP_ERROR_STARTTLS;
++  }
++
+   switch (error_code) {
+   case MAILIMAP_RESP_COND_STATE_OK:
+     return MAILIMAP_NO_ERROR;
+-- 
+2.28.0
+
+
+From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: [PATCH 2/2] Detect extra data after STARTTLS responses in SMTP and
+ POP3 and exit (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535b..e2124bf 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+ 
+   if (r != RESPONSE_OK)
+     return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++  // Detect if the server send extra data after the STLS response.
++  // This *may* be a "response injection attack".
++  if (f->pop3_stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no error type for STARTTLS errors in POP3
++    return MAILPOP3_ERROR_SSL;
++  }
+   
+   return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index b7fc459..3145cad 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
+     return MAILSMTP_ERROR_STREAM;
+   r = read_response(session);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no general error type for STARTTLS errors in SMTP
++    return MAILSMTP_ERROR_SSL;
++  }
++
+   switch (r) {
+   case 220:
+     return MAILSMTP_NO_ERROR;
+-- 
+2.28.0
+

diff --git a/net-libs/libetpan/libetpan-1.9.4-r1.ebuild b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
new file mode 100644
index 00000000000..9c243979d6d
--- /dev/null
+++ b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit autotools
+
+DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
+HOMEPAGE="http://libetpan.sourceforge.net/"
+SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
+
+# BerkDB is only supported up to version 6.0
+DEPEND="sys-libs/zlib
+	!lmdb? ( berkdb? ( sys-libs/db:= ) )
+	lmdb? ( dev-db/lmdb )
+	ssl? (
+		gnutls? ( net-libs/gnutls:= )
+		!gnutls? (
+			!libressl? ( dev-libs/openssl:0= )
+			libressl? ( dev-libs/libressl:0= )
+		)
+	)
+	sasl? ( dev-libs/cyrus-sasl:2 )
+	liblockfile? ( net-libs/liblockfile )"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.0-nonnull.patch
+	"${FILESDIR}"/${PN}-1.9.4-berkdb_lookup.patch #519846
+	"${FILESDIR}"/${PN}-1.9.4-pkgconfig_file_no_ldflags.patch
+	"${FILESDIR}"/${P}-CVE-2020-15953.patch #734130
+)
+
+pkg_pretend() {
+	if use gnutls && ! use ssl ; then
+		ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
+		ewarn "No ssl support will be available in ${PN}."
+	fi
+
+	if use berkdb && use lmdb ; then
+		ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
+		ewarn "Using lmdb as cache DB!"
+	fi
+}
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
+	# libtool recognises it as valid shell (bug #300211)
+	use prefix && export CONFIG_SHELL=${BASH}
+	local myeconfargs=(
+		# --enable-debug simply injects "-O2 -g" into CFLAGS
+		--disable-debug
+		$(use_enable ipv6)
+		$(use_enable liblockfile lockfile)
+		$(use_enable static-libs static)
+		$(use_with sasl)
+		$(usex lmdb '--enable-lmdb --disable-db' "$(use_enable berkdb db) --disable-lmdb")
+		$(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+	find "${ED}" -name "*.la" -delete || die
+	if ! use static-libs ; then
+		find "${ED}" -name "*.a" -delete || die
+	fi
+}


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/
@ 2020-07-30 21:15 Lars Wendler
  0 siblings, 0 replies; 2+ messages in thread
From: Lars Wendler @ 2020-07-30 21:15 UTC (permalink / raw
  To: gentoo-commits

commit:     8bd0471b2367f4fa7a9f12bf333178b4f7e33f90
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Jul 30 21:15:03 2020 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 21:15:33 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0471b

net-libs/libetpan: Security cleanup

Bug: https://bugs.gentoo.org/734130
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 net-libs/libetpan/Manifest                         |  1 -
 .../files/libetpan-1.9.3-missing-stddev_h.patch    | 30 ---------
 net-libs/libetpan/libetpan-1.9.3.ebuild            | 77 ----------------------
 net-libs/libetpan/libetpan-1.9.4.ebuild            | 77 ----------------------
 4 files changed, 185 deletions(-)

diff --git a/net-libs/libetpan/Manifest b/net-libs/libetpan/Manifest
index d37beb8e3f4..667fb19ac96 100644
--- a/net-libs/libetpan/Manifest
+++ b/net-libs/libetpan/Manifest
@@ -1,2 +1 @@
-DIST libetpan-1.9.3.tar.gz 5000049 BLAKE2B 1664d93b112410a86935438aae5ff40202a9c10675701d40b60edf81e4f8bac45fb1f407e03714a37465c41a22c1b9fcbbc517d76dc47f812e154c932e05e600 SHA512 66e504fbf82445819845a3f1dcb8dc48ad2440993134d43752c754463cee2434a30080718687cd05c579f0da8df6b0f6dfc7572f2882d0dd9dfd327b4ae11fd6
 DIST libetpan-1.9.4.tar.gz 5000025 BLAKE2B dd98169134b7448d3dd129814d8011a3fa915b16f4763344230a89d02626b64ddea57495b4c21fd8f651164c36c95ad98ee9db073273b230e6af403b845aa681 SHA512 7b7047d084fb4ce0c91821c2ad78e921d6d009106851afb7f5b068713c84ebe6926f6bf7a7423f263eeebef617511e44f6b65448d892bbc058c447235fd55c0f

diff --git a/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch b/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch
deleted file mode 100644
index 9d53f90190b..00000000000
--- a/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-commit da9fd7839c9affea48f74a159a789fbb183b4be1
-Author: maxice8 <30738253+maxice8@users.noreply.github.com>
-Date:   Fri Feb 1 01:58:08 2019 -0200
-
-    add missing stddef.h include for 'NULL' (#322)
-    
-    clientid.c: In function 'mailimap_clientid':
-    clientid.c:66:38: error: 'NULL' undeclared (first use in this function)
-       if (mailimap_read_line(session) == NULL)
-                                          ^~~~
-    clientid.c:66:38: note: 'NULL' is defined in header '<stddef.h>'; did you forget to '#include <stddef.h>'?
-    clientid.c:39:1:
-    +#include <stddef.h>
-    
-    clientid.c:66:38:
-       if (mailimap_read_line(session) == NULL)
-
-diff --git a/src/low-level/imap/clientid.c b/src/low-level/imap/clientid.c
-index 1c34637..38880dd 100644
---- a/src/low-level/imap/clientid.c
-+++ b/src/low-level/imap/clientid.c
-@@ -33,6 +33,8 @@
- #	include <config.h>
- #endif
- 
-+#include <stdlib.h>
-+
- #include "mailimap_sender.h"
- #include "clientid_sender.h"
- #include "clientid.h"

diff --git a/net-libs/libetpan/libetpan-1.9.3.ebuild b/net-libs/libetpan/libetpan-1.9.3.ebuild
deleted file mode 100644
index 8fb6d3cd1d9..00000000000
--- a/net-libs/libetpan/libetpan-1.9.3.ebuild
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-inherit autotools
-
-DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
-HOMEPAGE="http://libetpan.sourceforge.net/"
-SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="~alpha amd64 ~arm hppa ~mips ppc ppc64 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
-IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
-
-# BerkDB is only supported up to version 6.0
-DEPEND="sys-libs/zlib
-	!lmdb? ( berkdb? ( <sys-libs/db-6.1:= ) )
-	lmdb? ( dev-db/lmdb )
-	ssl? (
-		gnutls? ( net-libs/gnutls:= )
-		!gnutls? (
-			!libressl? ( dev-libs/openssl:0= )
-			libressl? ( dev-libs/libressl:0= )
-		)
-	)
-	sasl? ( dev-libs/cyrus-sasl:2 )
-	liblockfile? ( net-libs/liblockfile )"
-RDEPEND="${DEPEND}"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.0-nonnull.patch
-	"${FILESDIR}"/${PN}-1.9.3-missing-stddev_h.patch
-)
-
-pkg_pretend() {
-	if use gnutls && ! use ssl ; then
-		ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
-		ewarn "No ssl support will be available in ${PN}."
-	fi
-
-	if use berkdb && use lmdb ; then
-		ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
-		ewarn "Using lmdb as cache DB!"
-	fi
-}
-
-src_prepare() {
-	default
-	eautoreconf
-}
-
-src_configure() {
-	# in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
-	# libtool recognises it as valid shell (bug #300211)
-	use prefix && export CONFIG_SHELL=${BASH}
-	local myeconfargs=(
-		# --enable-debug simply injects "-O2 -g" into CFLAGS
-		--disable-debug
-		$(use_enable berkdb db)
-		$(use_enable ipv6)
-		$(use_enable liblockfile lockfile)
-		$(use_enable lmdb)
-		$(use_enable static-libs static)
-		$(use_with sasl)
-		$(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-	find "${ED}" -name "*.la" -delete || die
-	if ! use static-libs ; then
-		find "${ED}" -name "*.a" -delete || die
-	fi
-}

diff --git a/net-libs/libetpan/libetpan-1.9.4.ebuild b/net-libs/libetpan/libetpan-1.9.4.ebuild
deleted file mode 100644
index 373a43129b3..00000000000
--- a/net-libs/libetpan/libetpan-1.9.4.ebuild
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-inherit autotools
-
-DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
-HOMEPAGE="http://libetpan.sourceforge.net/"
-SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
-IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
-
-# BerkDB is only supported up to version 6.0
-DEPEND="sys-libs/zlib
-	!lmdb? ( berkdb? ( sys-libs/db:= ) )
-	lmdb? ( dev-db/lmdb )
-	ssl? (
-		gnutls? ( net-libs/gnutls:= )
-		!gnutls? (
-			!libressl? ( dev-libs/openssl:0= )
-			libressl? ( dev-libs/libressl:0= )
-		)
-	)
-	sasl? ( dev-libs/cyrus-sasl:2 )
-	liblockfile? ( net-libs/liblockfile )"
-RDEPEND="${DEPEND}"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.0-nonnull.patch
-	"${FILESDIR}"/${PN}-1.9.4-berkdb_lookup.patch #519846
-	"${FILESDIR}"/${PN}-1.9.4-pkgconfig_file_no_ldflags.patch
-)
-
-pkg_pretend() {
-	if use gnutls && ! use ssl ; then
-		ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
-		ewarn "No ssl support will be available in ${PN}."
-	fi
-
-	if use berkdb && use lmdb ; then
-		ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
-		ewarn "Using lmdb as cache DB!"
-	fi
-}
-
-src_prepare() {
-	default
-	eautoreconf
-}
-
-src_configure() {
-	# in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
-	# libtool recognises it as valid shell (bug #300211)
-	use prefix && export CONFIG_SHELL=${BASH}
-	local myeconfargs=(
-		# --enable-debug simply injects "-O2 -g" into CFLAGS
-		--disable-debug
-		$(use_enable ipv6)
-		$(use_enable liblockfile lockfile)
-		$(use_enable static-libs static)
-		$(use_with sasl)
-		$(usex lmdb '--enable-lmdb --disable-db' "$(use_enable berkdb db) --disable-lmdb")
-		$(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-	find "${ED}" -name "*.la" -delete || die
-	if ! use static-libs ; then
-		find "${ED}" -name "*.a" -delete || die
-	fi
-}


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-07-30 21:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-27 18:30 [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/ Lars Wendler
  -- strict thread matches above, loose matches on Subject: below --
2020-07-30 21:15 Lars Wendler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox