gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch

   1 From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001
   2 From: Milan Crha <mcrha@redhat.com>
   3 Date: Mon, 22 Jun 2020 13:40:17 +0200
   4 Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in
   5  SMTP and POP3
   6
   7 Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
   8 ---
   9  src/camel/camel-stream-buffer.c               | 19 +++++++++++++++++++
  10  src/camel/camel-stream-buffer.h               |  1 +
  11  src/camel/providers/pop3/camel-pop3-store.c   |  2 ++
  12  src/camel/providers/pop3/camel-pop3-stream.c  | 11 +++++++++++
  13  src/camel/providers/pop3/camel-pop3-stream.h  |  1 +
  14  .../providers/smtp/camel-smtp-transport.c     |  2 ++
  15  6 files changed, 36 insertions(+)
  16
  17 diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c
  18 index 3e2e0dd36..a6f605ae5 100644
  19 --- a/src/camel/camel-stream-buffer.c
  20 +++ b/src/camel/camel-stream-buffer.c
  21 @@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
  22
  23         return g_strdup ((gchar *) sbf->priv->linebuf);
  24  }
  25 +
  26 +/**
  27 + * camel_stream_buffer_discard_cache:
  28 + * @sbf: a #CamelStreamBuffer
  29 + *
  30 + * Discards any cached data in the @sbf. The next read reads
  31 + * from the stream.
  32 + *
  33 + * Since: 3.38
  34 + **/
  35 +void
  36 +camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf)
  37 +{
  38 +       g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf));
  39 +
  40 +       sbf->priv->ptr = sbf->priv->buf;
  41 +       sbf->priv->end = sbf->priv->buf;
  42 +       sbf->priv->ptr[0] = '\0';
  43 +}
  44 diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h
  45 index ef92cfd8e..094e9926b 100644
  46 --- a/src/camel/camel-stream-buffer.h
  47 +++ b/src/camel/camel-stream-buffer.h
  48 @@ -93,6 +93,7 @@ gint          camel_stream_buffer_gets        (CamelStreamBuffer *sbf,
  49  gchar *                camel_stream_buffer_read_line   (CamelStreamBuffer *sbf,
  50                                                  GCancellable *cancellable,
  51                                                  GError **error);
  52 +void           camel_stream_buffer_discard_cache       (CamelStreamBuffer *sbf);
  53
  54  G_END_DECLS
  55
  56 diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c
  57 index 81c370f0a..5c9eb1eaa 100644
  58 --- a/src/camel/providers/pop3/camel-pop3-store.c
  59 +++ b/src/camel/providers/pop3/camel-pop3-store.c
  60 @@ -205,6 +205,8 @@ connect_to_server (CamelService *service,
  61
  62         if (tls_stream != NULL) {
  63                 camel_stream_set_base_stream (stream, tls_stream);
  64 +               /* Truncate any left cached input from the insecure part of the session */
  65 +               camel_pop3_stream_discard_cache (pop3_engine->stream);
  66                 g_object_unref (tls_stream);
  67         } else {
  68                 g_prefix_error (
  69 diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c
  70 index 74bb11e61..c485b9bd6 100644
  71 --- a/src/camel/providers/pop3/camel-pop3-stream.c
  72 +++ b/src/camel/providers/pop3/camel-pop3-stream.c
  73 @@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is,
  74
  75         return 1;
  76  }
  77 +
  78 +void
  79 +camel_pop3_stream_discard_cache (CamelPOP3Stream *is)
  80 +{
  81 +       if (is) {
  82 +               is->ptr = is->end = is->buf;
  83 +               is->lineptr = is->linebuf;
  84 +               is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE;
  85 +               is->ptr[0] = '\n';
  86 +       }
  87 +}
  88 diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h
  89 index bb6dbb903..128c8c45a 100644
  90 --- a/src/camel/providers/pop3/camel-pop3-stream.h
  91 +++ b/src/camel/providers/pop3/camel-pop3-stream.h
  92 @@ -87,6 +87,7 @@ gint          camel_pop3_stream_getd          (CamelPOP3Stream *is,
  93                                                  guint *len,
  94                                                  GCancellable *cancellable,
  95                                                  GError **error);
  96 +void           camel_pop3_stream_discard_cache (CamelPOP3Stream *is);
  97
  98  G_END_DECLS
  99
 100 diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c
 101 index 035baf367..1fc0f3206 100644
 102 --- a/src/camel/providers/smtp/camel-smtp-transport.c
 103 +++ b/src/camel/providers/smtp/camel-smtp-transport.c
 104 @@ -323,6 +323,8 @@ connect_to_server (CamelService *service,
 105
 106         if (tls_stream != NULL) {
 107                 camel_stream_set_base_stream (stream, tls_stream);
 108 +               /* Truncate any left cached input from the insecure part of the session */
 109 +               camel_stream_buffer_discard_cache (transport->istream);
 110                 g_object_unref (tls_stream);
 111         } else {
 112                 g_prefix_error (
 113 --
 114 GitLab
 115