summary refs log tree commit diff
diff options
context:
space:
mode:
authorLéo Le Bouter <lle-bout@zaclys.net>2021-03-11 01:10:29 +0100
committerLéo Le Bouter <lle-bout@zaclys.net>2021-03-11 01:19:40 +0100
commitc35f87bb1a300c6bde538eaa927a0f7311fb09a0 (patch)
tree0dc58a56765a8a10cf29fd6ba6a223dbbcbbb0f2
parent24f0bb21ab338994187456eacb69d1162fdd1af5 (diff)
downloadguix-c35f87bb1a300c6bde538eaa927a0f7311fb09a0.tar.gz
gnu: evolution-data-server: Fix CVE-2020-14928 and CVE-2020-16117.
* gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch,
gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch: New patches.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/gnome.scm (evolution-data-server): Apply them.
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/gnome.scm4
-rw-r--r--gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch115
-rw-r--r--gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch28
4 files changed, 148 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 39037d3499..e24cee8ecf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -973,6 +973,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/erlang-man-path.patch			\
   %D%/packages/patches/eudev-rules-directory.patch		\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
+  %D%/packages/patches/evolution-data-server-CVE-2020-14928.patch	\
+  %D%/packages/patches/evolution-data-server-CVE-2020-16117.patch	\
   %D%/packages/patches/evolution-data-server-locales.patch	\
   %D%/packages/patches/evolution-data-server-libical-compat.patch	\
   %D%/packages/patches/exercism-disable-self-update.patch	\
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 5c6d247471..1db2de4751 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -7479,7 +7479,9 @@ Exchange, Last.fm, IMAP/SMTP, Jabber, SIP and Kerberos.")
                                   (version-major+minor version) "/"
                                   name "-" version ".tar.xz"))
               (patches (search-patches "evolution-data-server-locales.patch"
-                                       "evolution-data-server-libical-compat.patch"))
+                                       "evolution-data-server-libical-compat.patch"
+                                       "evolution-data-server-CVE-2020-14928.patch"
+                                       "evolution-data-server-CVE-2020-16117.patch"))
               (sha256
                (base32
                 "16z85y6hhazcrp5ngw47w4x9r0j8zrj7awv5im58hhp0xs19zf1y"))))
diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch
new file mode 100644
index 0000000000..421f292c9d
--- /dev/null
+++ b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch
@@ -0,0 +1,115 @@
+From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 22 Jun 2020 13:40:17 +0200
+Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in
+ SMTP and POP3
+
+Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
+---
+ src/camel/camel-stream-buffer.c               | 19 +++++++++++++++++++
+ src/camel/camel-stream-buffer.h               |  1 +
+ src/camel/providers/pop3/camel-pop3-store.c   |  2 ++
+ src/camel/providers/pop3/camel-pop3-stream.c  | 11 +++++++++++
+ src/camel/providers/pop3/camel-pop3-stream.h  |  1 +
+ .../providers/smtp/camel-smtp-transport.c     |  2 ++
+ 6 files changed, 36 insertions(+)
+
+diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c
+index 3e2e0dd36..a6f605ae5 100644
+--- a/src/camel/camel-stream-buffer.c
++++ b/src/camel/camel-stream-buffer.c
+@@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
+ 
+ 	return g_strdup ((gchar *) sbf->priv->linebuf);
+ }
++
++/**
++ * camel_stream_buffer_discard_cache:
++ * @sbf: a #CamelStreamBuffer
++ *
++ * Discards any cached data in the @sbf. The next read reads
++ * from the stream.
++ *
++ * Since: 3.38
++ **/
++void
++camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf)
++{
++	g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf));
++
++	sbf->priv->ptr = sbf->priv->buf;
++	sbf->priv->end = sbf->priv->buf;
++	sbf->priv->ptr[0] = '\0';
++}
+diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h
+index ef92cfd8e..094e9926b 100644
+--- a/src/camel/camel-stream-buffer.h
++++ b/src/camel/camel-stream-buffer.h
+@@ -93,6 +93,7 @@ gint		camel_stream_buffer_gets	(CamelStreamBuffer *sbf,
+ gchar *		camel_stream_buffer_read_line	(CamelStreamBuffer *sbf,
+ 						 GCancellable *cancellable,
+ 						 GError **error);
++void		camel_stream_buffer_discard_cache	(CamelStreamBuffer *sbf);
+ 
+ G_END_DECLS
+ 
+diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c
+index 81c370f0a..5c9eb1eaa 100644
+--- a/src/camel/providers/pop3/camel-pop3-store.c
++++ b/src/camel/providers/pop3/camel-pop3-store.c
+@@ -205,6 +205,8 @@ connect_to_server (CamelService *service,
+ 
+ 	if (tls_stream != NULL) {
+ 		camel_stream_set_base_stream (stream, tls_stream);
++		/* Truncate any left cached input from the insecure part of the session */
++		camel_pop3_stream_discard_cache (pop3_engine->stream);
+ 		g_object_unref (tls_stream);
+ 	} else {
+ 		g_prefix_error (
+diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c
+index 74bb11e61..c485b9bd6 100644
+--- a/src/camel/providers/pop3/camel-pop3-stream.c
++++ b/src/camel/providers/pop3/camel-pop3-stream.c
+@@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is,
+ 
+ 	return 1;
+ }
++
++void
++camel_pop3_stream_discard_cache (CamelPOP3Stream *is)
++{
++	if (is) {
++		is->ptr = is->end = is->buf;
++		is->lineptr = is->linebuf;
++		is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE;
++		is->ptr[0] = '\n';
++	}
++}
+diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h
+index bb6dbb903..128c8c45a 100644
+--- a/src/camel/providers/pop3/camel-pop3-stream.h
++++ b/src/camel/providers/pop3/camel-pop3-stream.h
+@@ -87,6 +87,7 @@ gint		camel_pop3_stream_getd		(CamelPOP3Stream *is,
+ 						 guint *len,
+ 						 GCancellable *cancellable,
+ 						 GError **error);
++void		camel_pop3_stream_discard_cache	(CamelPOP3Stream *is);
+ 
+ G_END_DECLS
+ 
+diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c
+index 035baf367..1fc0f3206 100644
+--- a/src/camel/providers/smtp/camel-smtp-transport.c
++++ b/src/camel/providers/smtp/camel-smtp-transport.c
+@@ -323,6 +323,8 @@ connect_to_server (CamelService *service,
+ 
+ 	if (tls_stream != NULL) {
+ 		camel_stream_set_base_stream (stream, tls_stream);
++		/* Truncate any left cached input from the insecure part of the session */
++		camel_stream_buffer_discard_cache (transport->istream);
+ 		g_object_unref (tls_stream);
+ 	} else {
+ 		g_prefix_error (
+-- 
+GitLab
+
diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch
new file mode 100644
index 0000000000..b2c0622a90
--- /dev/null
+++ b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch
@@ -0,0 +1,28 @@
+From 2cc39592b532cf0dc994fd3694b8e6bf924c9ab5 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 10 Feb 2020 10:00:32 +0100
+Subject: [PATCH] I#189 - Crash on malformed server response with minimal
+ capabilities
+
+Closes https://gitlab.gnome.org/GNOME/evolution-data-server/issues/189
+---
+ src/camel/providers/imapx/camel-imapx-server.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/camel/providers/imapx/camel-imapx-server.c b/src/camel/providers/imapx/camel-imapx-server.c
+index 3c38fb1e9..3883321ec 100644
+--- a/src/camel/providers/imapx/camel-imapx-server.c
++++ b/src/camel/providers/imapx/camel-imapx-server.c
+@@ -3045,7 +3045,8 @@ connected:
+ 
+ 			/* See if we got new capabilities
+ 			 * in the STARTTLS response. */
+-			imapx_free_capability (is->priv->cinfo);
++			if (is->priv->cinfo)
++				imapx_free_capability (is->priv->cinfo);
+ 			is->priv->cinfo = NULL;
+ 			if (ic->status->condition == IMAPX_CAPABILITY) {
+ 				is->priv->cinfo = ic->status->u.cinfo;
+-- 
+GitLab
+