Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 730748 (CVE-2020-14928)

Summary: <gnome-extra/evolution-data-server-3.36.4: Response injection via STARTTLS (SMTP, POP3) (CVE-2020-14928)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226
Whiteboard: B3 [noglsa cve]
Package list:
gnome-extra/evolution-data-server-3.36.4 mail-client/evolution-3.36.4 gnome-extra/evolution-ews-3.36.4
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 807352    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 18:21:19 UTC
From URL:
"We found a STARTTLS issue in Evolution, which affects SMTP and POP3.
When the server responds with its "let's do TLS now message", e.g. +OK begin TLS\r\n, Evolution will read any data after the \r\n and save it into some internal buffer for later processing. 

This is problematic, because a MITM attacker can inject arbitrary responses. I havn't tested it to this extent, but I suspect that this is enough to forge an entire new POP3 mailbox.
There is a nice blogpost by Wietse Venema about a "command injection" in postfix (http://www.postfix.org/CVE-2011-0411.html). 

What we have here is the problem in reverse, i.e. not a command injection, but a "response injection."

Example trace to give an intuition:

C: stls
S: +OK begin TLS
   +OK ack future user command // injected response
   +OK ack future pass command // injected response
<--- TLS --->
C: user alice
// here, Evolution interprets the first injected "+OK" response and proceeds...
C: pass password
// here, Evolution interprets the second injected "+OK" response and proceeds... 
...
An attacker can inject many more responses and (in the worst case) mimic a whole session."
Comment 2 Larry the Git Cow gentoo-dev 2020-07-04 21:18:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80ea3296f50742cd45e11c9e873fb9998f6be688

commit 80ea3296f50742cd45e11c9e873fb9998f6be688
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-04 17:52:39 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-04 21:18:17 +0000

    gnome-extra/evolution-data-server: bump to 3.36.4, fixes CVE-2020-14928
    
    Bug: https://bugs.gentoo.org/730748
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-extra/evolution-data-server/Manifest         |   1 +
 .../evolution-data-server-3.36.4.ebuild            | 148 +++++++++++++++++++++
 2 files changed, 149 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2020-07-09 09:04:47 UTC
x86 stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 00:05:15 UTC
amd64: ping
Comment 5 Agostino Sarubbo gentoo-dev 2020-07-17 07:22:59 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.