summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLéo Le Bouter <lle-bout@zaclys.net>2021-03-11 01:10:29 +0100
committerLéo Le Bouter <lle-bout@zaclys.net>2021-03-11 01:19:40 +0100
commitc35f87bb1a300c6bde538eaa927a0f7311fb09a0 (patch)
tree0dc58a56765a8a10cf29fd6ba6a223dbbcbbb0f2
parent24f0bb21ab338994187456eacb69d1162fdd1af5 (diff)
gnu: evolution-data-server: Fix CVE-2020-14928 and CVE-2020-16117.
* gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch, gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch: New patches. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/gnome.scm (evolution-data-server): Apply them.
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/gnome.scm4
-rw-r--r--gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch115
-rw-r--r--gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch28
4 files changed, 148 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 39037d3499..e24cee8ecf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -973,6 +973,8 @@ dist_patch_DATA = \
%D%/packages/patches/erlang-man-path.patch \
%D%/packages/patches/eudev-rules-directory.patch \
%D%/packages/patches/evilwm-lost-focus-bug.patch \
+ %D%/packages/patches/evolution-data-server-CVE-2020-14928.patch \
+ %D%/packages/patches/evolution-data-server-CVE-2020-16117.patch \
%D%/packages/patches/evolution-data-server-locales.patch \
%D%/packages/patches/evolution-data-server-libical-compat.patch \
%D%/packages/patches/exercism-disable-self-update.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 5c6d247471..1db2de4751 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -7479,7 +7479,9 @@ Exchange, Last.fm, IMAP/SMTP, Jabber, SIP and Kerberos.")
(version-major+minor version) "/"
name "-" version ".tar.xz"))
(patches (search-patches "evolution-data-server-locales.patch"
- "evolution-data-server-libical-compat.patch"))
+ "evolution-data-server-libical-compat.patch"
+ "evolution-data-server-CVE-2020-14928.patch"
+ "evolution-data-server-CVE-2020-16117.patch"))
(sha256
(base32
"16z85y6hhazcrp5ngw47w4x9r0j8zrj7awv5im58hhp0xs19zf1y"))))
diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch
new file mode 100644
index 0000000000..421f292c9d
--- /dev/null
+++ b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch
@@ -0,0 +1,115 @@
+From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 22 Jun 2020 13:40:17 +0200
+Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in
+ SMTP and POP3
+
+Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
+---
+ src/camel/camel-stream-buffer.c | 19 +++++++++++++++++++
+ src/camel/camel-stream-buffer.h | 1 +
+ src/camel/providers/pop3/camel-pop3-store.c | 2 ++
+ src/camel/providers/pop3/camel-pop3-stream.c | 11 +++++++++++
+ src/camel/providers/pop3/camel-pop3-stream.h | 1 +
+ .../providers/smtp/camel-smtp-transport.c | 2 ++
+ 6 files changed, 36 insertions(+)
+
+diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c
+index 3e2e0dd36..a6f605ae5 100644
+--- a/src/camel/camel-stream-buffer.c
++++ b/src/camel/camel-stream-buffer.c
+@@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
+
+ return g_strdup ((gchar *) sbf->priv->linebuf);
+ }
++
++/**
++ * camel_stream_buffer_discard_cache:
++ * @sbf: a #CamelStreamBuffer
++ *
++ * Discards any cached data in the @sbf. The next read reads
++ * from the stream.
++ *
++ * Since: 3.38
++ **/
++void
++camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf)
++{
++ g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf));
++
++ sbf->priv->ptr = sbf->priv->buf;
++ sbf->priv->end = sbf->priv->buf;
++ sbf->priv->ptr[0] = '\0';
++}
+diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h
+index ef92cfd8e..094e9926b 100644
+--- a/src/camel/camel-stream-buffer.h
++++ b/src/camel/camel-stream-buffer.h
+@@ -93,6 +93,7 @@ gint camel_stream_buffer_gets (CamelStreamBuffer *sbf,
+ gchar * camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
+ GCancellable *cancellable,
+ GError **error);
++void camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf);
+
+ G_END_DECLS
+
+diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c
+index 81c370f0a..5c9eb1eaa 100644
+--- a/src/camel/providers/pop3/camel-pop3-store.c
++++ b/src/camel/providers/pop3/camel-pop3-store.c
+@@ -205,6 +205,8 @@ connect_to_server (CamelService *service,
+
+ if (tls_stream != NULL) {
+ camel_stream_set_base_stream (stream, tls_stream);
++ /* Truncate any left cached input from the insecure part of the session */
++ camel_pop3_stream_discard_cache (pop3_engine->stream);
+ g_object_unref (tls_stream);
+ } else {
+ g_prefix_error (
+diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c
+index 74bb11e61..c485b9bd6 100644
+--- a/src/camel/providers/pop3/camel-pop3-stream.c
++++ b/src/camel/providers/pop3/camel-pop3-stream.c
+@@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is,
+
+ return 1;
+ }
++
++void
++camel_pop3_stream_discard_cache (CamelPOP3Stream *is)
++{
++ if (is) {
++ is->ptr = is->end = is->buf;
++ is->lineptr = is->linebuf;
++ is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE;
++ is->ptr[0] = '\n';
++ }
++}
+diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h
+index bb6dbb903..128c8c45a 100644
+--- a/src/camel/providers/pop3/camel-pop3-stream.h
++++ b/src/camel/providers/pop3/camel-pop3-stream.h
+@@ -87,6 +87,7 @@ gint camel_pop3_stream_getd (CamelPOP3Stream *is,
+ guint *len,
+ GCancellable *cancellable,
+ GError **error);
++void camel_pop3_stream_discard_cache (CamelPOP3Stream *is);
+
+ G_END_DECLS
+
+diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c
+index 035baf367..1fc0f3206 100644
+--- a/src/camel/providers/smtp/camel-smtp-transport.c
++++ b/src/camel/providers/smtp/camel-smtp-transport.c
+@@ -323,6 +323,8 @@ connect_to_server (CamelService *service,
+
+ if (tls_stream != NULL) {
+ camel_stream_set_base_stream (stream, tls_stream);
++ /* Truncate any left cached input from the insecure part of the session */
++ camel_stream_buffer_discard_cache (transport->istream);
+ g_object_unref (tls_stream);
+ } else {
+ g_prefix_error (
+--
+GitLab
+
diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch
new file mode 100644
index 0000000000..b2c0622a90
--- /dev/null
+++ b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch
@@ -0,0 +1,28 @@
+From 2cc39592b532cf0dc994fd3694b8e6bf924c9ab5 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 10 Feb 2020 10:00:32 +0100
+Subject: [PATCH] I#189 - Crash on malformed server response with minimal
+ capabilities
+
+Closes https://gitlab.gnome.org/GNOME/evolution-data-server/issues/189
+---
+ src/camel/providers/imapx/camel-imapx-server.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/camel/providers/imapx/camel-imapx-server.c b/src/camel/providers/imapx/camel-imapx-server.c
+index 3c38fb1e9..3883321ec 100644
+--- a/src/camel/providers/imapx/camel-imapx-server.c
++++ b/src/camel/providers/imapx/camel-imapx-server.c
+@@ -3045,7 +3045,8 @@ connected:
+
+ /* See if we got new capabilities
+ * in the STARTTLS response. */
+- imapx_free_capability (is->priv->cinfo);
++ if (is->priv->cinfo)
++ imapx_free_capability (is->priv->cinfo);
+ is->priv->cinfo = NULL;
+ if (ic->status->condition == IMAPX_CAPABILITY) {
+ is->priv->cinfo = ic->status->u.cinfo;
+--
+GitLab
+