Bug#1003825: buster-pu: package libetpan/1.9.3-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
* CVE-2020-15953: STARTTLS response injection that
affects IMAP, SMTP, and POP3. (Closes: #966647)
diff -Nru libetpan-1.9.3/debian/changelog libetpan-1.9.3/debian/changelog
--- libetpan-1.9.3/debian/changelog 2019-05-07 00:27:54.000000000 +0300
+++ libetpan-1.9.3/debian/changelog 2022-01-16 13:49:07.000000000 +0200
@@ -1,3 +1,11 @@
+libetpan (1.9.3-2+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2020-15953: STARTTLS response injection that
+ affects IMAP, SMTP, and POP3. (Closes: #966647)
+
+ -- Adrian Bunk <bunk@debian.org> Sun, 16 Jan 2022 13:49:07 +0200
+
libetpan (1.9.3-2) unstable; urgency=high
* debian/patches/90_fix_tls_timeout.diff
diff -Nru libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch
--- libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch 1970-01-01 02:00:00.000000000 +0200
+++ libetpan-1.9.3/debian/patches/0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch 2022-01-16 13:48:27.000000000 +0200
@@ -0,0 +1,30 @@
+From a6ab2983e53795b62b3158ddfe114dfaea1a1d17 Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index 989e20a..df17e27 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2422,6 +2422,13 @@ int mailimap_starttls(mailimap * session)
+
+ mailimap_response_free(response);
+
++ // Detect if the server send extra data after the STARTTLS response.
++ // This *may* be a "response injection attack".
++ if (session->imap_stream->read_buffer_len != 0) {
++ // Since it is also an IMAP protocol violation, exit.
++ return MAILIMAP_ERROR_STARTTLS;
++ }
++
+ switch (error_code) {
+ case MAILIMAP_RESP_COND_STATE_OK:
+ return MAILIMAP_NO_ERROR;
+--
+2.20.1
+
diff -Nru libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch
--- libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch 1970-01-01 02:00:00.000000000 +0200
+++ libetpan-1.9.3/debian/patches/0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch 2022-01-16 13:48:27.000000000 +0200
@@ -0,0 +1,55 @@
+From 586db9d030f397a48c7b0008dffe25da582251f3 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: Detect extra data after STARTTLS responses in SMTP and POP3 and exit
+ (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535b..e2124bf 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+
+ if (r != RESPONSE_OK)
+ return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++ // Detect if the server send extra data after the STLS response.
++ // This *may* be a "response injection attack".
++ if (f->pop3_stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no error type for STARTTLS errors in POP3
++ return MAILPOP3_ERROR_SSL;
++ }
+
+ return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index 2f3b40e..c967511 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1108,6 +1108,14 @@ int mailesmtp_starttls(mailsmtp * session)
+ return MAILSMTP_ERROR_STREAM;
+ r = read_response(session);
+
++ // Detect if the server send extra data after the STARTTLS response.
++ // This *may* be a "response injection attack".
++ if (session->stream->read_buffer_len != 0) {
++ // Since it is also protocol violation, exit.
++ // There is no general error type for STARTTLS errors in SMTP
++ return MAILSMTP_ERROR_SSL;
++ }
++
+ switch (r) {
+ case 220:
+ return MAILSMTP_NO_ERROR;
+--
+2.20.1
+
diff -Nru libetpan-1.9.3/debian/patches/series libetpan-1.9.3/debian/patches/series
--- libetpan-1.9.3/debian/patches/series 2019-05-07 00:27:54.000000000 +0300
+++ libetpan-1.9.3/debian/patches/series 2022-01-16 13:49:05.000000000 +0200
@@ -2,3 +2,5 @@
11_use_openjade.diff
12_add_dummy_readme.diff
90_fix_tls_timeout.diff
+0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch
+0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch
Reply to: