* [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/
@ 2020-07-27 18:30 Lars Wendler
0 siblings, 0 replies; 2+ messages in thread
From: Lars Wendler @ 2020-07-27 18:30 UTC (permalink / raw
To: gentoo-commits
commit: d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 27 18:29:18 2020 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Jul 27 18:30:34 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7fe2e20
net-libs/libetpan: Security revbump to fix CVE-2020-15953
Bug: https://bugs.gentoo.org/734130
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../files/libetpan-1.9.4-CVE-2020-15953.patch | 86 ++++++++++++++++++++++
net-libs/libetpan/libetpan-1.9.4-r1.ebuild | 78 ++++++++++++++++++++
2 files changed, 164 insertions(+)
diff --git a/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
new file mode 100644
index 00000000000..19e573569fa
--- /dev/null
+++ b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
@@ -0,0 +1,86 @@
+From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: [PATCH 1/2] Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index bb17119..4ffcf55 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
+
+ mailimap_response_free(response);
+
++ // Detect if the server send extra data after the STARTTLS response.
++ // This *may* be a "response injection attack".
++ if (session->imap_stream->read_buffer_len != 0) {
++ // Since it is also an IMAP protocol violation, exit.
++ return MAILIMAP_ERROR_STARTTLS;
++ }
++
+ switch (error_code) {
+ case MAILIMAP_RESP_COND_STATE_OK:
+ return MAILIMAP_NO_ERROR;
+--
+2.28.0
+
+
+From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: [PATCH 2/2] Detect extra data after STARTTLS responses in SMTP and
+ POP3 and exit (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535b..e2124bf 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+
+ if (r != RESPONSE_OK)
+ return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++ // Detect if the server send extra data after the STLS response.
++ // This *may* be a "response injection attack".
++ if (f->pop3_stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no error type for STARTTLS errors in POP3
++ return MAILPOP3_ERROR_SSL;
++ }
+
+ return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index b7fc459..3145cad 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
+ return MAILSMTP_ERROR_STREAM;
+ r = read_response(session);
+
++ // Detect if the server send extra data after the STARTTLS response.
++ // This *may* be a "response injection attack".
++ if (session->stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no general error type for STARTTLS errors in SMTP
++ return MAILSMTP_ERROR_SSL;
++ }
++
+ switch (r) {
+ case 220:
+ return MAILSMTP_NO_ERROR;
+--
+2.28.0
+
diff --git a/net-libs/libetpan/libetpan-1.9.4-r1.ebuild b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
new file mode 100644
index 00000000000..9c243979d6d
--- /dev/null
+++ b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit autotools
+
+DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
+HOMEPAGE="http://libetpan.sourceforge.net/"
+SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
+
+# BerkDB is only supported up to version 6.0
+DEPEND="sys-libs/zlib
+ !lmdb? ( berkdb? ( sys-libs/db:= ) )
+ lmdb? ( dev-db/lmdb )
+ ssl? (
+ gnutls? ( net-libs/gnutls:= )
+ !gnutls? (
+ !libressl? ( dev-libs/openssl:0= )
+ libressl? ( dev-libs/libressl:0= )
+ )
+ )
+ sasl? ( dev-libs/cyrus-sasl:2 )
+ liblockfile? ( net-libs/liblockfile )"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.0-nonnull.patch
+ "${FILESDIR}"/${PN}-1.9.4-berkdb_lookup.patch #519846
+ "${FILESDIR}"/${PN}-1.9.4-pkgconfig_file_no_ldflags.patch
+ "${FILESDIR}"/${P}-CVE-2020-15953.patch #734130
+)
+
+pkg_pretend() {
+ if use gnutls && ! use ssl ; then
+ ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
+ ewarn "No ssl support will be available in ${PN}."
+ fi
+
+ if use berkdb && use lmdb ; then
+ ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
+ ewarn "Using lmdb as cache DB!"
+ fi
+}
+
+src_prepare() {
+ default
+ eautoreconf
+}
+
+src_configure() {
+ # in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
+ # libtool recognises it as valid shell (bug #300211)
+ use prefix && export CONFIG_SHELL=${BASH}
+ local myeconfargs=(
+ # --enable-debug simply injects "-O2 -g" into CFLAGS
+ --disable-debug
+ $(use_enable ipv6)
+ $(use_enable liblockfile lockfile)
+ $(use_enable static-libs static)
+ $(use_with sasl)
+ $(usex lmdb '--enable-lmdb --disable-db' "$(use_enable berkdb db) --disable-lmdb")
+ $(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
+ )
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+ find "${ED}" -name "*.la" -delete || die
+ if ! use static-libs ; then
+ find "${ED}" -name "*.a" -delete || die
+ fi
+}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/
@ 2020-07-30 21:15 Lars Wendler
0 siblings, 0 replies; 2+ messages in thread
From: Lars Wendler @ 2020-07-30 21:15 UTC (permalink / raw
To: gentoo-commits
commit: 8bd0471b2367f4fa7a9f12bf333178b4f7e33f90
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Jul 30 21:15:03 2020 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 21:15:33 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0471b
net-libs/libetpan: Security cleanup
Bug: https://bugs.gentoo.org/734130
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
net-libs/libetpan/Manifest | 1 -
.../files/libetpan-1.9.3-missing-stddev_h.patch | 30 ---------
net-libs/libetpan/libetpan-1.9.3.ebuild | 77 ----------------------
net-libs/libetpan/libetpan-1.9.4.ebuild | 77 ----------------------
4 files changed, 185 deletions(-)
diff --git a/net-libs/libetpan/Manifest b/net-libs/libetpan/Manifest
index d37beb8e3f4..667fb19ac96 100644
--- a/net-libs/libetpan/Manifest
+++ b/net-libs/libetpan/Manifest
@@ -1,2 +1 @@
-DIST libetpan-1.9.3.tar.gz 5000049 BLAKE2B 1664d93b112410a86935438aae5ff40202a9c10675701d40b60edf81e4f8bac45fb1f407e03714a37465c41a22c1b9fcbbc517d76dc47f812e154c932e05e600 SHA512 66e504fbf82445819845a3f1dcb8dc48ad2440993134d43752c754463cee2434a30080718687cd05c579f0da8df6b0f6dfc7572f2882d0dd9dfd327b4ae11fd6
DIST libetpan-1.9.4.tar.gz 5000025 BLAKE2B dd98169134b7448d3dd129814d8011a3fa915b16f4763344230a89d02626b64ddea57495b4c21fd8f651164c36c95ad98ee9db073273b230e6af403b845aa681 SHA512 7b7047d084fb4ce0c91821c2ad78e921d6d009106851afb7f5b068713c84ebe6926f6bf7a7423f263eeebef617511e44f6b65448d892bbc058c447235fd55c0f
diff --git a/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch b/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch
deleted file mode 100644
index 9d53f90190b..00000000000
--- a/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-commit da9fd7839c9affea48f74a159a789fbb183b4be1
-Author: maxice8 <30738253+maxice8@users.noreply.github.com>
-Date: Fri Feb 1 01:58:08 2019 -0200
-
- add missing stddef.h include for 'NULL' (#322)
-
- clientid.c: In function 'mailimap_clientid':
- clientid.c:66:38: error: 'NULL' undeclared (first use in this function)
- if (mailimap_read_line(session) == NULL)
- ^~~~
- clientid.c:66:38: note: 'NULL' is defined in header '<stddef.h>'; did you forget to '#include <stddef.h>'?
- clientid.c:39:1:
- +#include <stddef.h>
-
- clientid.c:66:38:
- if (mailimap_read_line(session) == NULL)
-
-diff --git a/src/low-level/imap/clientid.c b/src/low-level/imap/clientid.c
-index 1c34637..38880dd 100644
---- a/src/low-level/imap/clientid.c
-+++ b/src/low-level/imap/clientid.c
-@@ -33,6 +33,8 @@
- # include <config.h>
- #endif
-
-+#include <stdlib.h>
-+
- #include "mailimap_sender.h"
- #include "clientid_sender.h"
- #include "clientid.h"
diff --git a/net-libs/libetpan/libetpan-1.9.3.ebuild b/net-libs/libetpan/libetpan-1.9.3.ebuild
deleted file mode 100644
index 8fb6d3cd1d9..00000000000
--- a/net-libs/libetpan/libetpan-1.9.3.ebuild
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-inherit autotools
-
-DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
-HOMEPAGE="http://libetpan.sourceforge.net/"
-SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="~alpha amd64 ~arm hppa ~mips ppc ppc64 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
-IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
-
-# BerkDB is only supported up to version 6.0
-DEPEND="sys-libs/zlib
- !lmdb? ( berkdb? ( <sys-libs/db-6.1:= ) )
- lmdb? ( dev-db/lmdb )
- ssl? (
- gnutls? ( net-libs/gnutls:= )
- !gnutls? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- )
- sasl? ( dev-libs/cyrus-sasl:2 )
- liblockfile? ( net-libs/liblockfile )"
-RDEPEND="${DEPEND}"
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.0-nonnull.patch
- "${FILESDIR}"/${PN}-1.9.3-missing-stddev_h.patch
-)
-
-pkg_pretend() {
- if use gnutls && ! use ssl ; then
- ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
- ewarn "No ssl support will be available in ${PN}."
- fi
-
- if use berkdb && use lmdb ; then
- ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
- ewarn "Using lmdb as cache DB!"
- fi
-}
-
-src_prepare() {
- default
- eautoreconf
-}
-
-src_configure() {
- # in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
- # libtool recognises it as valid shell (bug #300211)
- use prefix && export CONFIG_SHELL=${BASH}
- local myeconfargs=(
- # --enable-debug simply injects "-O2 -g" into CFLAGS
- --disable-debug
- $(use_enable berkdb db)
- $(use_enable ipv6)
- $(use_enable liblockfile lockfile)
- $(use_enable lmdb)
- $(use_enable static-libs static)
- $(use_with sasl)
- $(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
- )
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
- find "${ED}" -name "*.la" -delete || die
- if ! use static-libs ; then
- find "${ED}" -name "*.a" -delete || die
- fi
-}
diff --git a/net-libs/libetpan/libetpan-1.9.4.ebuild b/net-libs/libetpan/libetpan-1.9.4.ebuild
deleted file mode 100644
index 373a43129b3..00000000000
--- a/net-libs/libetpan/libetpan-1.9.4.ebuild
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-inherit autotools
-
-DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
-HOMEPAGE="http://libetpan.sourceforge.net/"
-SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
-IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
-
-# BerkDB is only supported up to version 6.0
-DEPEND="sys-libs/zlib
- !lmdb? ( berkdb? ( sys-libs/db:= ) )
- lmdb? ( dev-db/lmdb )
- ssl? (
- gnutls? ( net-libs/gnutls:= )
- !gnutls? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- )
- sasl? ( dev-libs/cyrus-sasl:2 )
- liblockfile? ( net-libs/liblockfile )"
-RDEPEND="${DEPEND}"
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.0-nonnull.patch
- "${FILESDIR}"/${PN}-1.9.4-berkdb_lookup.patch #519846
- "${FILESDIR}"/${PN}-1.9.4-pkgconfig_file_no_ldflags.patch
-)
-
-pkg_pretend() {
- if use gnutls && ! use ssl ; then
- ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
- ewarn "No ssl support will be available in ${PN}."
- fi
-
- if use berkdb && use lmdb ; then
- ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
- ewarn "Using lmdb as cache DB!"
- fi
-}
-
-src_prepare() {
- default
- eautoreconf
-}
-
-src_configure() {
- # in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
- # libtool recognises it as valid shell (bug #300211)
- use prefix && export CONFIG_SHELL=${BASH}
- local myeconfargs=(
- # --enable-debug simply injects "-O2 -g" into CFLAGS
- --disable-debug
- $(use_enable ipv6)
- $(use_enable liblockfile lockfile)
- $(use_enable static-libs static)
- $(use_with sasl)
- $(usex lmdb '--enable-lmdb --disable-db' "$(use_enable berkdb db) --disable-lmdb")
- $(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
- )
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
- find "${ED}" -name "*.la" -delete || die
- if ! use static-libs ; then
- find "${ED}" -name "*.a" -delete || die
- fi
-}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-30 21:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-27 18:30 [gentoo-commits] repo/gentoo:master commit in: net-libs/libetpan/, net-libs/libetpan/files/ Lars Wendler
-- strict thread matches above, loose matches on Subject: below --
2020-07-30 21:15 Lars Wendler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox