Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 806595 (CVE-2021-38084)

Summary: <mail-mta/courier-1.1.5: STARTTLS injection for POP3 protocol
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor Flags: nattka: sanity-check-
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=807292
Whiteboard: B3 [noglsa]
Package list:
net-libs/courier-unicode-2.2.3 amd64 arm arm64 hppa ppc ppc64 sparc x86 net-libs/courier-authlib-0.71.3 amd64 arm arm64 hppa ppc ppc64 sparc x86 mail-mta/courier-1.1.5
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 807352    

Description Hanno Böck gentoo-dev 2021-08-05 18:56:57 UTC
Courier versions before 1.1.5 are vulnerable for a STARTTLS injection for the POP3 protocol.

I already bumped the packages, we need to stabilize the depending libraries together with it.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 01:11:50 UTC
Thanks!

Add CC-ARCHES when it's ready to be stabled.
Comment 2 Hanno Böck gentoo-dev 2021-08-06 05:34:08 UTC
Archs, please stabilize.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 13:35:27 UTC
ppc64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 13:35:29 UTC
ppc done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 20:42:17 UTC
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 20:42:56 UTC
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 20:43:37 UTC
arm done
Comment 8 Agostino Sarubbo gentoo-dev 2021-08-08 07:46:21 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 NATTkA bot gentoo-dev 2021-08-08 07:48:23 UTC Comment hidden (obsolete)
Comment 10 Larry the Git Cow gentoo-dev 2021-08-16 02:24:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98ee95beb4125bf3cffadd31e22b1a9aab678ab4

commit 98ee95beb4125bf3cffadd31e22b1a9aab678ab4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-16 02:22:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-16 02:24:05 +0000

    net-libs/courier-authlib: subscribe to courier-unicode subslot
    
    Bug: https://bugs.gentoo.org/806595
    Bug: https://bugs.gentoo.org/807292
    Signed-off-by: Sam James <sam@gentoo.org>

 ...ourier-authlib-0.69.0-r3.ebuild => courier-authlib-0.69.0-r4.ebuild} | 2 +-
 ...ourier-authlib-0.70.0-r2.ebuild => courier-authlib-0.70.0-r3.ebuild} | 2 +-
 ...ourier-authlib-0.71.0-r2.ebuild => courier-authlib-0.71.0-r3.ebuild} | 2 +-
 ...ourier-authlib-0.71.1-r2.ebuild => courier-authlib-0.71.1-r3.ebuild} | 2 +-
 ...ourier-authlib-0.71.2-r2.ebuild => courier-authlib-0.71.2-r3.ebuild} | 2 +-
 .../{courier-authlib-0.71.3.ebuild => courier-authlib-0.71.3-r1.ebuild} | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6b4101a6edb95c607a9390e5ed67b61f65c0497

commit a6b4101a6edb95c607a9390e5ed67b61f65c0497
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-16 02:21:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-16 02:24:00 +0000

    net-mail/courier-imap: subscribe to courier-unicode subslot
    
    Bug: https://bugs.gentoo.org/806595
    Bug: https://bugs.gentoo.org/807292
    Signed-off-by: Sam James <sam@gentoo.org>

 .../{courier-imap-5.1.2.ebuild => courier-imap-5.1.2-r1.ebuild}     | 6 +++---
 .../{courier-imap-5.1.3.ebuild => courier-imap-5.1.3-r1.ebuild}     | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdd9cd787d7b14073350e54f4a3ac1e123d07ad8

commit fdd9cd787d7b14073350e54f4a3ac1e123d07ad8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-16 02:20:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-16 02:23:56 +0000

    mail-mta/courier: subscribe to courier-unicode subslot
    
    Bug: https://bugs.gentoo.org/806595
    Bug: https://bugs.gentoo.org/807292
    Signed-off-by: Sam James <sam@gentoo.org>

 mail-mta/courier/{courier-1.0.13.ebuild => courier-1.0.13-r1.ebuild} | 4 ++--
 mail-mta/courier/{courier-1.0.14.ebuild => courier-1.0.14-r1.ebuild} | 4 ++--
 mail-mta/courier/{courier-1.0.17.ebuild => courier-1.0.17-r1.ebuild} | 4 ++--
 mail-mta/courier/{courier-1.0.5.ebuild => courier-1.0.5-r1.ebuild}   | 4 ++--
 mail-mta/courier/{courier-1.1.2.ebuild => courier-1.1.2-r1.ebuild}   | 4 ++--
 mail-mta/courier/{courier-1.1.5.ebuild => courier-1.1.5-r1.ebuild}   | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61ab1b57be2f20b62c6b4d420ba4cd3bc0ed326e

commit 61ab1b57be2f20b62c6b4d420ba4cd3bc0ed326e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-16 02:18:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-16 02:23:52 +0000

    mail-client/cone: subscribe to courier-unicode subslot
    
    Bug: https://bugs.gentoo.org/806595
    Bug: https://bugs.gentoo.org/807292
    Signed-off-by: Sam James <sam@gentoo.org>

 mail-client/cone/{cone-1.0.ebuild => cone-1.0-r1.ebuild} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f05ed3fe5451d0e8b341890c083afe38a2883fa

commit 0f05ed3fe5451d0e8b341890c083afe38a2883fa
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-16 02:17:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-16 02:23:47 +0000

    mail-filter/maildrop: subscribe to courier-unicode subslot
    
    Bug: https://bugs.gentoo.org/806595
    Bug: https://bugs.gentoo.org/807292
    Signed-off-by: Sam James <sam@gentoo.org>

 .../maildrop/{maildrop-3.0.0.ebuild => maildrop-3.0.0-r1.ebuild} | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae4b36193858f28bb15a04c15d69459d7f95d45d

commit ae4b36193858f28bb15a04c15d69459d7f95d45d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-08-16 02:14:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-08-16 02:23:35 +0000

    net-libs/courier-unicode: add subslot for ABI breakage
    
    SONAME from 2.1 -> 2.2 went from 4.1.0 -> 7.0.0.
    
    Bug: https://bugs.gentoo.org/806595
    Bug: https://bugs.gentoo.org/807292
    Signed-off-by: Sam James <sam@gentoo.org>

 .../{courier-unicode-2.2.3.ebuild => courier-unicode-2.2.3-r1.ebuild} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2021-08-16 02:28:22 UTC
Unable to check for sanity:

> no match for package: net-libs/courier-unicode-2.2.3
Comment 12 Larry the Git Cow gentoo-dev 2022-01-17 11:15:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48307799432614ef292a2eef80331e050e1a033a

commit 48307799432614ef292a2eef80331e050e1a033a
Author:     Hanno Böck <hanno@gentoo.org>
AuthorDate: 2022-01-17 11:15:14 +0000
Commit:     Hanno Böck <hanno@gentoo.org>
CommitDate: 2022-01-17 11:15:14 +0000

    mail-mta/courier: Cleanup old versions
    
    Signed-off-by: Hanno Böck <hanno@gentoo.org>
    Bug: https://bugs.gentoo.org/806595
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 mail-mta/courier/Manifest                 |   5 -
 mail-mta/courier/courier-1.0.13-r1.ebuild | 312 -----------------------------
 mail-mta/courier/courier-1.0.14-r1.ebuild | 312 -----------------------------
 mail-mta/courier/courier-1.0.17-r1.ebuild | 312 -----------------------------
 mail-mta/courier/courier-1.0.5-r1.ebuild  | 317 ------------------------------
 mail-mta/courier/courier-1.1.2-r1.ebuild  | 312 -----------------------------
 6 files changed, 1570 deletions(-)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-17 20:19:35 UTC
Thanks Hanno!
Comment 14 Hanno Böck gentoo-dev 2022-01-18 18:19:00 UTC
FWIW as one of the authors of the research disclosing that bug I think it doesn't need a GLSA. We couldn't find a practical exploit for the POP3 case. For SMTP and IMAP this is a serious vuln, but that wasn't vulnerable in courier.
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-18 20:15:31 UTC
(In reply to Hanno Böck from comment #14)
> FWIW as one of the authors of the research disclosing that bug I think it
> doesn't need a GLSA. We couldn't find a practical exploit for the POP3 case.
> For SMTP and IMAP this is a serious vuln, but that wasn't vulnerable in
> courier.

Makes sense, thanks! Closing