1 From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001
2 From: Milan Crha <mcrha@redhat.com>
3 Date: Mon, 22 Jun 2020 13:40:17 +0200
4 Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in
7 Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
9 src/camel/camel-stream-buffer.c | 19 +++++++++++++++++++
10 src/camel/camel-stream-buffer.h | 1 +
11 src/camel/providers/pop3/camel-pop3-store.c | 2 ++
12 src/camel/providers/pop3/camel-pop3-stream.c | 11 +++++++++++
13 src/camel/providers/pop3/camel-pop3-stream.h | 1 +
14 .../providers/smtp/camel-smtp-transport.c | 2 ++
15 6 files changed, 36 insertions(+)
17 diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c
18 index 3e2e0dd36..a6f605ae5 100644
19 --- a/src/camel/camel-stream-buffer.c
20 +++ b/src/camel/camel-stream-buffer.c
21 @@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
23 return g_strdup ((gchar *) sbf->priv->linebuf);
27 + * camel_stream_buffer_discard_cache:
28 + * @sbf: a #CamelStreamBuffer
30 + * Discards any cached data in the @sbf. The next read reads
36 +camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf)
38 + g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf));
40 + sbf->priv->ptr = sbf->priv->buf;
41 + sbf->priv->end = sbf->priv->buf;
42 + sbf->priv->ptr[0] = '\0';
44 diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h
45 index ef92cfd8e..094e9926b 100644
46 --- a/src/camel/camel-stream-buffer.h
47 +++ b/src/camel/camel-stream-buffer.h
48 @@ -93,6 +93,7 @@ gint camel_stream_buffer_gets (CamelStreamBuffer *sbf,
49 gchar * camel_stream_buffer_read_line (CamelStreamBuffer *sbf,
50 GCancellable *cancellable,
52 +void camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf);
56 diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c
57 index 81c370f0a..5c9eb1eaa 100644
58 --- a/src/camel/providers/pop3/camel-pop3-store.c
59 +++ b/src/camel/providers/pop3/camel-pop3-store.c
60 @@ -205,6 +205,8 @@ connect_to_server (CamelService *service,
62 if (tls_stream != NULL) {
63 camel_stream_set_base_stream (stream, tls_stream);
64 + /* Truncate any left cached input from the insecure part of the session */
65 + camel_pop3_stream_discard_cache (pop3_engine->stream);
66 g_object_unref (tls_stream);
69 diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c
70 index 74bb11e61..c485b9bd6 100644
71 --- a/src/camel/providers/pop3/camel-pop3-stream.c
72 +++ b/src/camel/providers/pop3/camel-pop3-stream.c
73 @@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is,
79 +camel_pop3_stream_discard_cache (CamelPOP3Stream *is)
82 + is->ptr = is->end = is->buf;
83 + is->lineptr = is->linebuf;
84 + is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE;
88 diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h
89 index bb6dbb903..128c8c45a 100644
90 --- a/src/camel/providers/pop3/camel-pop3-stream.h
91 +++ b/src/camel/providers/pop3/camel-pop3-stream.h
92 @@ -87,6 +87,7 @@ gint camel_pop3_stream_getd (CamelPOP3Stream *is,
94 GCancellable *cancellable,
96 +void camel_pop3_stream_discard_cache (CamelPOP3Stream *is);
100 diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c
101 index 035baf367..1fc0f3206 100644
102 --- a/src/camel/providers/smtp/camel-smtp-transport.c
103 +++ b/src/camel/providers/smtp/camel-smtp-transport.c
104 @@ -323,6 +323,8 @@ connect_to_server (CamelService *service,
106 if (tls_stream != NULL) {
107 camel_stream_set_base_stream (stream, tls_stream);
108 + /* Truncate any left cached input from the insecure part of the session */
109 + camel_stream_buffer_discard_cache (transport->istream);
110 g_object_unref (tls_stream);