Bug 725910

Summary:	<mail-client/balsa-2.6.1: TLS certificate mishandling (CVE-2020-13645)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ajak, gnome, ostroffjh
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.gnome.org/GNOME/balsa/-/issues/34
Whiteboard:	B3 [noglsa cve]
Package list:	mail-client/balsa-2.6.1	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	725908

Description Sam James archtester

2020-05-28 17:42:04 UTC

Description:
"In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host."

Comment 1 Sam James archtester

2020-05-28 17:42:42 UTC

Patches:
https://gitlab.gnome.org/GNOME/balsa/-/commit/9b19c66ce4cd6d57dcaaa9499b8e0242d96f9c89
https://gitlab.gnome.org/GNOME/balsa/-/commit/0ae0fde107f2ed36a0bdc4d46cce2d11a11a5b67

Comment 2 Sam James archtester

2020-06-24 22:39:47 UTC

ping

Comment 3 Sam James archtester

2020-07-18 20:57:32 UTC

ping

Comment 4 Roy Bamford gentoo-dev

2020-07-19 11:06:17 UTC

https://pawsa.fedorapeople.org/balsa/  says ...

News

2020-05-10
    You can now download balsa-2.5.11 and balsa-2.6.1. balsa-2.5.11 still links against gmime2. Balsa-2.6.1 links against gmime30. Both versions have a TLS server identity bug fixed. 

balsa-2.5.11 builds if the PATCHES is removed from the 2.5.6-r1 build.
That's not nearly enough testing to qualify as a version bump.

Comment 5 Sam James archtester

2020-07-26 05:47:28 UTC

ping

Comment 6 John Helmert III archtester

2020-07-29 21:26:15 UTC

CVE-2020-16118:

In GNOME Balsa before 2.6.0, a malicious server operator or man in the middle can trigger a NULL pointer dereference and client crash by sending a PREAUTH response to imap_mbox_connect in libbalsa/imap/imap-handle.c.


Issue: https://gitlab.gnome.org/GNOME/balsa/-/issues/23
Patch: https://gitlab.gnome.org/GNOME/balsa/-/commit/4e245d758e1c826a01080d40c22ca8706f0339e5

balsa $ git tag --contains 4e245d758e1c826a01080d40c22ca8706f0339e5
2.5.10
2.5.11
2.6.0
2.6.1

(In reply to Sam James from comment #1)
> Patches:
> https://gitlab.gnome.org/GNOME/balsa/-/commit/
> 9b19c66ce4cd6d57dcaaa9499b8e0242d96f9c89

404?

> https://gitlab.gnome.org/GNOME/balsa/-/commit/
> 0ae0fde107f2ed36a0bdc4d46cce2d11a11a5b67

This one is in 2.5.11 and 2.6.1:

balsa $ git tag --contains 0ae0fde107f2ed36a0bdc4d46cce2d11a11a5b67
2.5.11
2.6.1

Comment 7 Larry the Git Cow gentoo-dev

2020-08-24 07:48:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98480bf85d035209c098e69731307bd614321358

commit 98480bf85d035209c098e69731307bd614321358
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-24 07:43:40 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-24 07:48:01 +0000

    mail-client/balsa: bump to 2.6.1
    
    Bug: https://bugs.gentoo.org/725910
    Closes: https://bugs.gentoo.org/698670
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 mail-client/balsa/Manifest           |  1 +
 mail-client/balsa/balsa-2.6.1.ebuild | 75 ++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)

Comment 8 Sam James archtester

2020-08-25 00:22:03 UTC

x86 done

Comment 9 Sam James archtester

2020-08-25 18:08:27 UTC

amd64 done

all arches done

Comment 10 Sam James archtester

2020-08-25 18:28:34 UTC

Please cleanup.

Comment 11 Sam James archtester

2020-08-25 23:44:31 UTC

noglsa because the main issue was in glib-networking.

Comment 12 Larry the Git Cow gentoo-dev

2020-08-29 08:27:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=952e9a293c1a5c2e1a7887843c0969936e30f841

commit 952e9a293c1a5c2e1a7887843c0969936e30f841
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-29 08:10:19 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-29 08:27:25 +0000

    mail-client/balsa: security cleanup
    
    Bug: https://bugs.gentoo.org/725910
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 mail-client/balsa/Manifest                         |   1 -
 mail-client/balsa/balsa-2.5.6-r1.ebuild            |  71 ----------
 .../files/balsa-2.5.6-fix-older-webkit1.patch      | 156 ---------------------
 .../files/balsa-2.5.6-fix-older-webkit2.patch      |  53 -------
 mail-client/balsa/metadata.xml                     |   1 -
 5 files changed, 282 deletions(-)

Comment 13 Sam James archtester

2020-08-29 13:01:47 UTC

Thanks!