Bug 734130 (CVE-2020-15953)

Summary:	<net-libs/libetpan-1.9.4-r1: Information disclosure via TLS mishandling (CVE-2020-15953)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	polynomial-c
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/dinhvh/libetpan/issues/386
Whiteboard:	B4 [glsa+ cve]
Package list:	=net-libs/libetpan-1.9.4-r1	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	807352

Description John Helmert III archtester

2020-07-27 18:18:13 UTC

CVE-2020-15953:

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."



There appears to be a patch: https://github.com/dinhvh/libetpan/pull/388

Comment 1 Larry the Git Cow gentoo-dev

2020-07-27 18:30:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66

commit d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-07-27 18:29:18 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-07-27 18:30:34 +0000

    net-libs/libetpan: Security revbump to fix CVE-2020-15953
    
    Bug: https://bugs.gentoo.org/734130
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../files/libetpan-1.9.4-CVE-2020-15953.patch      | 86 ++++++++++++++++++++++
 net-libs/libetpan/libetpan-1.9.4-r1.ebuild         | 78 ++++++++++++++++++++
 2 files changed, 164 insertions(+)

Comment 2 Sam James archtester

2020-07-27 22:44:19 UTC

GLSA vote: yes

Comment 3 Sam James archtester

2020-07-27 23:22:44 UTC

x86 stable

Comment 4 Sam James archtester

2020-07-27 23:22:56 UTC

amd64 stable

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2020-07-28 19:42:50 UTC

This issue was resolved and addressed in
 GLSA 202007-55 at https://security.gentoo.org/glsa/202007-55
by GLSA coordinator Sam James (sam_c).

Comment 6 Sam James archtester

2020-07-28 19:44:47 UTC

Reopening for remaining arches.

Comment 7 Sam James archtester

2020-07-29 05:39:53 UTC

sparc stable

Comment 8 Sam James archtester

2020-07-29 16:22:34 UTC

ppc64 stable

Comment 9 Sam James archtester

2020-07-29 16:23:40 UTC

ppc stable

Comment 10 Rolf Eike Beer archtester

2020-07-30 21:05:12 UTC

hppa stable. Last arch, closing.

Comment 11 Rolf Eike Beer archtester

2020-07-30 21:05:34 UTC

Ups, sorry.

Comment 12 Sam James archtester

2020-07-30 21:06:17 UTC

(In reply to Rolf Eike Beer from comment #11)
> Ups, sorry.

No worries. 

Please cleanup.

Comment 13 Larry the Git Cow gentoo-dev

2020-07-30 21:15:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0471b2367f4fa7a9f12bf333178b4f7e33f90

commit 8bd0471b2367f4fa7a9f12bf333178b4f7e33f90
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-07-30 21:15:03 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-07-30 21:15:33 +0000

    net-libs/libetpan: Security cleanup
    
    Bug: https://bugs.gentoo.org/734130
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/libetpan/Manifest                         |  1 -
 .../files/libetpan-1.9.3-missing-stddev_h.patch    | 30 ---------
 net-libs/libetpan/libetpan-1.9.3.ebuild            | 77 ----------------------
 net-libs/libetpan/libetpan-1.9.4.ebuild            | 77 ----------------------
 4 files changed, 185 deletions(-)

Comment 14 Sam James archtester

2020-07-30 21:17:25 UTC

Thanks everyone! All done, closing.