summaryrefslogtreecommitdiff
path: root/user/libetpan/CVE-2020-15953-b.patch
diff options
context:
space:
mode:
Diffstat (limited to 'user/libetpan/CVE-2020-15953-b.patch')
-rw-r--r--user/libetpan/CVE-2020-15953-b.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/user/libetpan/CVE-2020-15953-b.patch b/user/libetpan/CVE-2020-15953-b.patch
new file mode 100644
index 000000000..95e0385bb
--- /dev/null
+++ b/user/libetpan/CVE-2020-15953-b.patch
@@ -0,0 +1,58 @@
+From 6068b0fa8310bced874b322b20ac470472c64784 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <f.ising@fh-muenster.de>
+Date: Fri, 24 Jul 2020 08:56:05 +0200
+Subject: [PATCH 1/2] Detect extra data after STLS response and return error
+
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535be..e2124bf8 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+
+ if (r != RESPONSE_OK)
+ return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++ // Detect if the server send extra data after the STLS response.
++ // This *may* be a "response injection attack".
++ if (f->pop3_stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no error type for STARTTLS errors in POP3
++ return MAILPOP3_ERROR_SSL;
++ }
+
+ return MAILPOP3_NO_ERROR;
+ }
+
+From 874ebf7ce9d108c6c1def733f90d156b44fb6ef7 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <f.ising@fh-muenster.de>
+Date: Fri, 24 Jul 2020 08:56:31 +0200
+Subject: [PATCH 2/2] Detect extra data after SMTP STARTTLS response and return
+ error
+
+---
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index b7fc459e..3145cadf 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
+ return MAILSMTP_ERROR_STREAM;
+ r = read_response(session);
+
++ // Detect if the server send extra data after the STARTTLS response.
++ // This *may* be a "response injection attack".
++ if (session->stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no general error type for STARTTLS errors in SMTP
++ return MAILSMTP_ERROR_SSL;
++ }
++
+ switch (r) {
+ case 220:
+ return MAILSMTP_NO_ERROR;