1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001
From: Milan Crha <mcrha@redhat.com>
Date: Mon, 22 Jun 2020 13:40:17 +0200
Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in
SMTP and POP3
Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
---
src/camel/camel-stream-buffer.c | 19 +++++++++++++++++++
src/camel/camel-stream-buffer.h | 1 +
src/camel/providers/pop3/camel-pop3-store.c | 2 ++
src/camel/providers/pop3/camel-pop3-stream.c | 11 +++++++++++
src/camel/providers/pop3/camel-pop3-stream.h | 1 +
.../providers/smtp/camel-smtp-transport.c | 2 ++
6 files changed, 36 insertions(+)
diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c
index 3e2e0dd36..a6f605ae5 100644
--- a/src/camel/camel-stream-buffer.c
+++ b/src/camel/camel-stream-buffer.c
@@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
return g_strdup ((gchar *) sbf->priv->linebuf);
}
+
+/**
+ * camel_stream_buffer_discard_cache:
+ * @sbf: a #CamelStreamBuffer
+ *
+ * Discards any cached data in the @sbf. The next read reads
+ * from the stream.
+ *
+ * Since: 3.38
+ **/
+void
+camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf)
+{
+ g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf));
+
+ sbf->priv->ptr = sbf->priv->buf;
+ sbf->priv->end = sbf->priv->buf;
+ sbf->priv->ptr[0] = '\0';
+}
diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h
index ef92cfd8e..094e9926b 100644
--- a/src/camel/camel-stream-buffer.h
+++ b/src/camel/camel-stream-buffer.h
@@ -93,6 +93,7 @@ gint camel_stream_buffer_gets (CamelStreamBuffer *sbf,
gchar * camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
GCancellable *cancellable,
GError **error);
+void camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf);
G_END_DECLS
diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c
index 81c370f0a..5c9eb1eaa 100644
--- a/src/camel/providers/pop3/camel-pop3-store.c
+++ b/src/camel/providers/pop3/camel-pop3-store.c
@@ -205,6 +205,8 @@ connect_to_server (CamelService *service,
if (tls_stream != NULL) {
camel_stream_set_base_stream (stream, tls_stream);
+ /* Truncate any left cached input from the insecure part of the session */
+ camel_pop3_stream_discard_cache (pop3_engine->stream);
g_object_unref (tls_stream);
} else {
g_prefix_error (
diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c
index 74bb11e61..c485b9bd6 100644
--- a/src/camel/providers/pop3/camel-pop3-stream.c
+++ b/src/camel/providers/pop3/camel-pop3-stream.c
@@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is,
return 1;
}
+
+void
+camel_pop3_stream_discard_cache (CamelPOP3Stream *is)
+{
+ if (is) {
+ is->ptr = is->end = is->buf;
+ is->lineptr = is->linebuf;
+ is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE;
+ is->ptr[0] = '\n';
+ }
+}
diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h
index bb6dbb903..128c8c45a 100644
--- a/src/camel/providers/pop3/camel-pop3-stream.h
+++ b/src/camel/providers/pop3/camel-pop3-stream.h
@@ -87,6 +87,7 @@ gint camel_pop3_stream_getd (CamelPOP3Stream *is,
guint *len,
GCancellable *cancellable,
GError **error);
+void camel_pop3_stream_discard_cache (CamelPOP3Stream *is);
G_END_DECLS
diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c
index 035baf367..1fc0f3206 100644
--- a/src/camel/providers/smtp/camel-smtp-transport.c
+++ b/src/camel/providers/smtp/camel-smtp-transport.c
@@ -323,6 +323,8 @@ connect_to_server (CamelService *service,
if (tls_stream != NULL) {
camel_stream_set_base_stream (stream, tls_stream);
+ /* Truncate any left cached input from the insecure part of the session */
+ camel_stream_buffer_discard_cache (transport->istream);
g_object_unref (tls_stream);
} else {
g_prefix_error (
--
GitLab
|