From c35f87bb1a300c6bde538eaa927a0f7311fb09a0 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Thu, 11 Mar 2021 01:10:29 +0100 Subject: gnu: evolution-data-server: Fix CVE-2020-14928 and CVE-2020-16117. * gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch, gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch: New patches. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/gnome.scm (evolution-data-server): Apply them. --- gnu/local.mk | 2 + gnu/packages/gnome.scm | 4 +- .../evolution-data-server-CVE-2020-14928.patch | 115 +++++++++++++++++++++ .../evolution-data-server-CVE-2020-16117.patch | 28 +++++ 4 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch create mode 100644 gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 39037d3499..e24cee8ecf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -973,6 +973,8 @@ dist_patch_DATA = \ %D%/packages/patches/erlang-man-path.patch \ %D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ + %D%/packages/patches/evolution-data-server-CVE-2020-14928.patch \ + %D%/packages/patches/evolution-data-server-CVE-2020-16117.patch \ %D%/packages/patches/evolution-data-server-locales.patch \ %D%/packages/patches/evolution-data-server-libical-compat.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 5c6d247471..1db2de4751 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -7479,7 +7479,9 @@ Exchange, Last.fm, IMAP/SMTP, Jabber, SIP and Kerberos.") (version-major+minor version) "/" name "-" version ".tar.xz")) (patches (search-patches "evolution-data-server-locales.patch" - "evolution-data-server-libical-compat.patch")) + "evolution-data-server-libical-compat.patch" + "evolution-data-server-CVE-2020-14928.patch" + "evolution-data-server-CVE-2020-16117.patch")) (sha256 (base32 "16z85y6hhazcrp5ngw47w4x9r0j8zrj7awv5im58hhp0xs19zf1y")))) diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch new file mode 100644 index 0000000000..421f292c9d --- /dev/null +++ b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch @@ -0,0 +1,115 @@ +From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 22 Jun 2020 13:40:17 +0200 +Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in + SMTP and POP3 + +Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226 +--- + src/camel/camel-stream-buffer.c | 19 +++++++++++++++++++ + src/camel/camel-stream-buffer.h | 1 + + src/camel/providers/pop3/camel-pop3-store.c | 2 ++ + src/camel/providers/pop3/camel-pop3-stream.c | 11 +++++++++++ + src/camel/providers/pop3/camel-pop3-stream.h | 1 + + .../providers/smtp/camel-smtp-transport.c | 2 ++ + 6 files changed, 36 insertions(+) + +diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c +index 3e2e0dd36..a6f605ae5 100644 +--- a/src/camel/camel-stream-buffer.c ++++ b/src/camel/camel-stream-buffer.c +@@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf, + + return g_strdup ((gchar *) sbf->priv->linebuf); + } ++ ++/** ++ * camel_stream_buffer_discard_cache: ++ * @sbf: a #CamelStreamBuffer ++ * ++ * Discards any cached data in the @sbf. The next read reads ++ * from the stream. ++ * ++ * Since: 3.38 ++ **/ ++void ++camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf) ++{ ++ g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf)); ++ ++ sbf->priv->ptr = sbf->priv->buf; ++ sbf->priv->end = sbf->priv->buf; ++ sbf->priv->ptr[0] = '\0'; ++} +diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h +index ef92cfd8e..094e9926b 100644 +--- a/src/camel/camel-stream-buffer.h ++++ b/src/camel/camel-stream-buffer.h +@@ -93,6 +93,7 @@ gint camel_stream_buffer_gets (CamelStreamBuffer *sbf, + gchar * camel_stream_buffer_read_line (CamelStreamBuffer *sbf, + GCancellable *cancellable, + GError **error); ++void camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf); + + G_END_DECLS + +diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c +index 81c370f0a..5c9eb1eaa 100644 +--- a/src/camel/providers/pop3/camel-pop3-store.c ++++ b/src/camel/providers/pop3/camel-pop3-store.c +@@ -205,6 +205,8 @@ connect_to_server (CamelService *service, + + if (tls_stream != NULL) { + camel_stream_set_base_stream (stream, tls_stream); ++ /* Truncate any left cached input from the insecure part of the session */ ++ camel_pop3_stream_discard_cache (pop3_engine->stream); + g_object_unref (tls_stream); + } else { + g_prefix_error ( +diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c +index 74bb11e61..c485b9bd6 100644 +--- a/src/camel/providers/pop3/camel-pop3-stream.c ++++ b/src/camel/providers/pop3/camel-pop3-stream.c +@@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is, + + return 1; + } ++ ++void ++camel_pop3_stream_discard_cache (CamelPOP3Stream *is) ++{ ++ if (is) { ++ is->ptr = is->end = is->buf; ++ is->lineptr = is->linebuf; ++ is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE; ++ is->ptr[0] = '\n'; ++ } ++} +diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h +index bb6dbb903..128c8c45a 100644 +--- a/src/camel/providers/pop3/camel-pop3-stream.h ++++ b/src/camel/providers/pop3/camel-pop3-stream.h +@@ -87,6 +87,7 @@ gint camel_pop3_stream_getd (CamelPOP3Stream *is, + guint *len, + GCancellable *cancellable, + GError **error); ++void camel_pop3_stream_discard_cache (CamelPOP3Stream *is); + + G_END_DECLS + +diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c +index 035baf367..1fc0f3206 100644 +--- a/src/camel/providers/smtp/camel-smtp-transport.c ++++ b/src/camel/providers/smtp/camel-smtp-transport.c +@@ -323,6 +323,8 @@ connect_to_server (CamelService *service, + + if (tls_stream != NULL) { + camel_stream_set_base_stream (stream, tls_stream); ++ /* Truncate any left cached input from the insecure part of the session */ ++ camel_stream_buffer_discard_cache (transport->istream); + g_object_unref (tls_stream); + } else { + g_prefix_error ( +-- +GitLab + diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch new file mode 100644 index 0000000000..b2c0622a90 --- /dev/null +++ b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch @@ -0,0 +1,28 @@ +From 2cc39592b532cf0dc994fd3694b8e6bf924c9ab5 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 10 Feb 2020 10:00:32 +0100 +Subject: [PATCH] I#189 - Crash on malformed server response with minimal + capabilities + +Closes https://gitlab.gnome.org/GNOME/evolution-data-server/issues/189 +--- + src/camel/providers/imapx/camel-imapx-server.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/camel/providers/imapx/camel-imapx-server.c b/src/camel/providers/imapx/camel-imapx-server.c +index 3c38fb1e9..3883321ec 100644 +--- a/src/camel/providers/imapx/camel-imapx-server.c ++++ b/src/camel/providers/imapx/camel-imapx-server.c +@@ -3045,7 +3045,8 @@ connected: + + /* See if we got new capabilities + * in the STARTTLS response. */ +- imapx_free_capability (is->priv->cinfo); ++ if (is->priv->cinfo) ++ imapx_free_capability (is->priv->cinfo); + is->priv->cinfo = NULL; + if (ic->status->condition == IMAPX_CAPABILITY) { + is->priv->cinfo = ic->status->u.cinfo; +-- +GitLab + -- cgit v1.2.3