Bug#1003825: buster-pu: package libetpan/1.9.3-2+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1003825: buster-pu: package libetpan/1.9.3-2+deb10u1
From: Adrian Bunk <bunk@debian.org>
Date: Sun, 16 Jan 2022 13:59:14 +0200
Message-id: <[🔎] 164233435475.6435.5561673193830382665.reportbug@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 1003825@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

  * CVE-2020-15953: STARTTLS response injection that
    affects IMAP, SMTP, and POP3. (Closes: #966647)

diff -Nru libetpan-1.9.3/debian/changelog libetpan-1.9.3/debian/changelog
--- libetpan-1.9.3/debian/changelog	2019-05-07 00:27:54.000000000 +0300
+++ libetpan-1.9.3/debian/changelog	2022-01-16 13:49:07.000000000 +0200
@@ -1,3 +1,11 @@
+libetpan (1.9.3-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2020-15953: STARTTLS response injection that
+    affects IMAP, SMTP, and POP3. (Closes: #966647)
+
+ -- Adrian Bunk <bunk@debian.org>  Sun, 16 Jan 2022 13:49:07 +0200
+
 libetpan (1.9.3-2) unstable; urgency=high
 
   * debian/patches/90_fix_tls_timeout.diff
diff -Nru libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch
--- libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch	1970-01-01 02:00:00.000000000 +0200
+++ libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch	2022-01-16 13:48:27.000000000 +0200
@@ -0,0 +1,30 @@
+From a6ab2983e53795b62b3158ddfe114dfaea1a1d17 Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index 989e20a..df17e27 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2422,6 +2422,13 @@ int mailimap_starttls(mailimap * session)
+ 
+   mailimap_response_free(response);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->imap_stream->read_buffer_len != 0) {
++      // Since it is also an IMAP protocol violation, exit.
++      return MAILIMAP_ERROR_STARTTLS;
++  }
++
+   switch (error_code) {
+   case MAILIMAP_RESP_COND_STATE_OK:
+     return MAILIMAP_NO_ERROR;
+-- 
+2.20.1
+
diff -Nru libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch
--- libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch	1970-01-01 02:00:00.000000000 +0200
+++ libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch	2022-01-16 13:48:27.000000000 +0200
@@ -0,0 +1,55 @@
+From 586db9d030f397a48c7b0008dffe25da582251f3 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: Detect extra data after STARTTLS responses in SMTP and POP3 and exit
+ (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535b..e2124bf 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+ 
+   if (r != RESPONSE_OK)
+     return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++  // Detect if the server send extra data after the STLS response.
++  // This *may* be a "response injection attack".
++  if (f->pop3_stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no error type for STARTTLS errors in POP3
++    return MAILPOP3_ERROR_SSL;
++  }
+   
+   return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index 2f3b40e..c967511 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1108,6 +1108,14 @@ int mailesmtp_starttls(mailsmtp * session)
+     return MAILSMTP_ERROR_STREAM;
+   r = read_response(session);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no general error type for STARTTLS errors in SMTP
++    return MAILSMTP_ERROR_SSL;
++  }
++
+   switch (r) {
+   case 220:
+     return MAILSMTP_NO_ERROR;
+-- 
+2.20.1
+
diff -Nru libetpan-1.9.3/debian/patches/series libetpan-1.9.3/debian/patches/series
--- libetpan-1.9.3/debian/patches/series	2019-05-07 00:27:54.000000000 +0300
+++ libetpan-1.9.3/debian/patches/series	2022-01-16 13:49:05.000000000 +0200
@@ -2,3 +2,5 @@
 11_use_openjade.diff
 12_add_dummy_readme.diff
 90_fix_tls_timeout.diff
+0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch
+0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch

Reply to:

Prev by Date: Bug#1003795: buster-pu: package evolution-data-server/3.30.5-1+deb10u2
Next by Date: Bug#1003826: buster-pu: package libjackson-json-java/1.9.13-2~deb10u1
Previous by thread: Bug#1003795: buster-pu: package evolution-data-server/3.30.5-1+deb10u2
Next by thread: Bug#1003826: buster-pu: package libjackson-json-java/1.9.13-2~deb10u1
Index(es):
- Date
- Thread