user/trojita: CVE patches (#137)

1 files changed, 88 insertions, 0 deletions

diff --git a/user/trojita/CVE-2020-15047.patch b/user/trojita/CVE-2020-15047.patch
new file mode 100644
index 000000000..6199c01fd
--- /dev/null
+++ b/user/trojita/CVE-2020-15047.patch
@@ -0,0 +1,88 @@
+From 77ddd5d44f2bf4155d0c9b6f7d05f01713b32d5d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= <jkt@kde.org>
+Date: Thu, 25 Jun 2020 11:30:51 +0200
+Subject: [PATCH] SMTP: Do not ignore TLS errors
+
+This fixes a CVE-2020-15047 (category: CWE-295). Since commit 0083eea5ed
+which added initial, experimental support for SMTP message submission,
+we have apparently never implemented proper SSL/TLS error handling, and
+the code has ever since just kept silently ignoring any certificate
+verification errors.  As a result, Trojita was susceptible to a MITM
+attack when sending e-mails. The information leaked include user's
+authentication details, including the password, and the content of sent
+messages.
+
+Sorry for this :(.
+
+Now, this patch re-enabes proper TLS error handling. It was not possible
+to directly re-use our code for TLS key pinning which we are using for
+IMAP connections. In the Qt TLS code, the decision to accept or not
+accept a TLS connection is a blocking one, so the IMAP code relies upon
+the protocol state machine (i.e., another layer) for deciding whether to
+use or not to use the just-established TLS connection. Implementing an
+equivalent code in the SMTP library would be nice, but this hot-fix has
+a priority. As a result, SMTP connections to hosts with, e.g.,
+self-signed TLS certs, are no longer possible. Let's hope that this is
+not a practical problem with Lets Encrypt anymore.
+
+Thanks to Damian Poddebniak for reporting this bug.
+
+Change-Id: Icd6bbb2b0fb3e45159fc9699ebd07ab84262fe37
+CVE: CVE-2020-15047
+BUG: 423453
+---
+ src/MSA/SMTP.cpp | 11 +++++++++--
+ src/MSA/SMTP.h   |  1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/MSA/SMTP.cpp b/src/MSA/SMTP.cpp
+index 3a054516..ac1eefc5 100644
+--- a/src/MSA/SMTP.cpp
++++ b/src/MSA/SMTP.cpp
+@@ -21,6 +21,7 @@
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ #include "SMTP.h"
++#include "UiUtils/Formatting.h"
+ 
+ namespace MSA
+ {
+@@ -32,8 +33,8 @@ SMTP::SMTP(QObject *parent, const QString &host, quint16 port, bool encryptedCon
+     user(user), failed(false), isWaitingForPassword(false), sendingMode(MODE_SMTP_INVALID)
+ {
+     qwwSmtp = new QwwSmtpClient(this);
+-    // FIXME: handle SSL errors properly
+-    connect(qwwSmtp, &QwwSmtpClient::sslErrors, qwwSmtp, &QwwSmtpClient::ignoreSslErrors);
++    // FIXME: handle SSL errors in the same way as we handle IMAP TLS errors, with key pinning, etc.
++    connect(qwwSmtp, &QwwSmtpClient::sslErrors, this, &SMTP::handleSslErrors);
+     connect(qwwSmtp, &QwwSmtpClient::connected, this, &AbstractMSA::sending);
+     connect(qwwSmtp, &QwwSmtpClient::done, this, &SMTP::handleDone);
+     connect(qwwSmtp, &QwwSmtpClient::socketError, this, &SMTP::handleError);
+@@ -78,6 +79,12 @@ void SMTP::handleError(QAbstractSocket::SocketError err, const QString &msg)
+     emit error(msg);
+ }
+ 
++void SMTP::handleSslErrors(const QList<QSslError>& errors)
++{
++    auto msg = UiUtils::Formatting::sslErrorsToHtml(errors);
++    emit error(tr("<p>Cannot send message due to an SSL/TLS error</p>\n%1").arg(msg));
++}
++
+ void SMTP::setPassword(const QString &password)
+ {
+     pass = password;
+diff --git a/src/MSA/SMTP.h b/src/MSA/SMTP.h
+index 453407d3..913bb873 100644
+--- a/src/MSA/SMTP.h
++++ b/src/MSA/SMTP.h
+@@ -43,6 +43,7 @@ public slots:
+     virtual void setPassword(const QString &password);
+     void handleDone(bool ok);
+     void handleError(QAbstractSocket::SocketError err, const QString &msg);
++    void handleSslErrors(const QList<QSslError>& errors);
+ private:
+     QwwSmtpClient *qwwSmtp;
+     QString host;
+-- 
+GitLab
+