Commit | Line | Data |
---|---|---|
c35f87bb LLB |
1 | From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001 |
2 | From: Milan Crha <mcrha@redhat.com> | |
3 | Date: Mon, 22 Jun 2020 13:40:17 +0200 | |
4 | Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in | |
5 | SMTP and POP3 | |
6 | ||
7 | Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226 | |
8 | --- | |
9 | src/camel/camel-stream-buffer.c | 19 +++++++++++++++++++ | |
10 | src/camel/camel-stream-buffer.h | 1 + | |
11 | src/camel/providers/pop3/camel-pop3-store.c | 2 ++ | |
12 | src/camel/providers/pop3/camel-pop3-stream.c | 11 +++++++++++ | |
13 | src/camel/providers/pop3/camel-pop3-stream.h | 1 + | |
14 | .../providers/smtp/camel-smtp-transport.c | 2 ++ | |
15 | 6 files changed, 36 insertions(+) | |
16 | ||
17 | diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c | |
18 | index 3e2e0dd36..a6f605ae5 100644 | |
19 | --- a/src/camel/camel-stream-buffer.c | |
20 | +++ b/src/camel/camel-stream-buffer.c | |
21 | @@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf, | |
22 | ||
23 | return g_strdup ((gchar *) sbf->priv->linebuf); | |
24 | } | |
25 | + | |
26 | +/** | |
27 | + * camel_stream_buffer_discard_cache: | |
28 | + * @sbf: a #CamelStreamBuffer | |
29 | + * | |
30 | + * Discards any cached data in the @sbf. The next read reads | |
31 | + * from the stream. | |
32 | + * | |
33 | + * Since: 3.38 | |
34 | + **/ | |
35 | +void | |
36 | +camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf) | |
37 | +{ | |
38 | + g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf)); | |
39 | + | |
40 | + sbf->priv->ptr = sbf->priv->buf; | |
41 | + sbf->priv->end = sbf->priv->buf; | |
42 | + sbf->priv->ptr[0] = '\0'; | |
43 | +} | |
44 | diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h | |
45 | index ef92cfd8e..094e9926b 100644 | |
46 | --- a/src/camel/camel-stream-buffer.h | |
47 | +++ b/src/camel/camel-stream-buffer.h | |
48 | @@ -93,6 +93,7 @@ gint camel_stream_buffer_gets (CamelStreamBuffer *sbf, | |
49 | gchar * camel_stream_buffer_read_line (CamelStreamBuffer *sbf, | |
50 | GCancellable *cancellable, | |
51 | GError **error); | |
52 | +void camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf); | |
53 | ||
54 | G_END_DECLS | |
55 | ||
56 | diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c | |
57 | index 81c370f0a..5c9eb1eaa 100644 | |
58 | --- a/src/camel/providers/pop3/camel-pop3-store.c | |
59 | +++ b/src/camel/providers/pop3/camel-pop3-store.c | |
60 | @@ -205,6 +205,8 @@ connect_to_server (CamelService *service, | |
61 | ||
62 | if (tls_stream != NULL) { | |
63 | camel_stream_set_base_stream (stream, tls_stream); | |
64 | + /* Truncate any left cached input from the insecure part of the session */ | |
65 | + camel_pop3_stream_discard_cache (pop3_engine->stream); | |
66 | g_object_unref (tls_stream); | |
67 | } else { | |
68 | g_prefix_error ( | |
69 | diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c | |
70 | index 74bb11e61..c485b9bd6 100644 | |
71 | --- a/src/camel/providers/pop3/camel-pop3-stream.c | |
72 | +++ b/src/camel/providers/pop3/camel-pop3-stream.c | |
73 | @@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is, | |
74 | ||
75 | return 1; | |
76 | } | |
77 | + | |
78 | +void | |
79 | +camel_pop3_stream_discard_cache (CamelPOP3Stream *is) | |
80 | +{ | |
81 | + if (is) { | |
82 | + is->ptr = is->end = is->buf; | |
83 | + is->lineptr = is->linebuf; | |
84 | + is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE; | |
85 | + is->ptr[0] = '\n'; | |
86 | + } | |
87 | +} | |
88 | diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h | |
89 | index bb6dbb903..128c8c45a 100644 | |
90 | --- a/src/camel/providers/pop3/camel-pop3-stream.h | |
91 | +++ b/src/camel/providers/pop3/camel-pop3-stream.h | |
92 | @@ -87,6 +87,7 @@ gint camel_pop3_stream_getd (CamelPOP3Stream *is, | |
93 | guint *len, | |
94 | GCancellable *cancellable, | |
95 | GError **error); | |
96 | +void camel_pop3_stream_discard_cache (CamelPOP3Stream *is); | |
97 | ||
98 | G_END_DECLS | |
99 | ||
100 | diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c | |
101 | index 035baf367..1fc0f3206 100644 | |
102 | --- a/src/camel/providers/smtp/camel-smtp-transport.c | |
103 | +++ b/src/camel/providers/smtp/camel-smtp-transport.c | |
104 | @@ -323,6 +323,8 @@ connect_to_server (CamelService *service, | |
105 | ||
106 | if (tls_stream != NULL) { | |
107 | camel_stream_set_base_stream (stream, tls_stream); | |
108 | + /* Truncate any left cached input from the insecure part of the session */ | |
109 | + camel_stream_buffer_discard_cache (transport->istream); | |
110 | g_object_unref (tls_stream); | |
111 | } else { | |
112 | g_prefix_error ( | |
113 | -- | |
114 | GitLab | |
115 |