Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734130 (CVE-2020-15953) - <net-libs/libetpan-1.9.4-r1: Information disclosure via TLS mishandling (CVE-2020-15953)
Summary: <net-libs/libetpan-1.9.4-r1: Information disclosure via TLS mishandling (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2020-15953
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/dinhvh/libetpan/is...
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-27 18:18 UTC by John Helmert III (ajak)
Modified: 2020-07-30 21:17 UTC (History)
1 user (show)

See Also:
Package list:
=net-libs/libetpan-1.9.4-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-07-27 18:18:13 UTC
CVE-2020-15953:

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."



There appears to be a patch: https://github.com/dinhvh/libetpan/pull/388
Comment 1 Larry the Git Cow gentoo-dev 2020-07-27 18:30:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66

commit d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-07-27 18:29:18 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-07-27 18:30:34 +0000

    net-libs/libetpan: Security revbump to fix CVE-2020-15953
    
    Bug: https://bugs.gentoo.org/734130
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../files/libetpan-1.9.4-CVE-2020-15953.patch      | 86 ++++++++++++++++++++++
 net-libs/libetpan/libetpan-1.9.4-r1.ebuild         | 78 ++++++++++++++++++++
 2 files changed, 164 insertions(+)
Comment 2 Sam James gentoo-dev Security 2020-07-27 22:44:19 UTC
GLSA vote: yes
Comment 3 Sam James gentoo-dev Security 2020-07-27 23:22:44 UTC
x86 stable
Comment 4 Sam James gentoo-dev Security 2020-07-27 23:22:56 UTC
amd64 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:42:50 UTC
This issue was resolved and addressed in
 GLSA 202007-55 at https://security.gentoo.org/glsa/202007-55
by GLSA coordinator Sam James (sam_c).
Comment 6 Sam James gentoo-dev Security 2020-07-28 19:44:47 UTC
Reopening for remaining arches.
Comment 7 Sam James gentoo-dev Security 2020-07-29 05:39:53 UTC
sparc stable
Comment 8 Sam James gentoo-dev Security 2020-07-29 16:22:34 UTC
ppc64 stable
Comment 9 Sam James gentoo-dev Security 2020-07-29 16:23:40 UTC
ppc stable
Comment 10 Rolf Eike Beer 2020-07-30 21:05:12 UTC
hppa stable. Last arch, closing.
Comment 11 Rolf Eike Beer 2020-07-30 21:05:34 UTC
Ups, sorry.
Comment 12 Sam James gentoo-dev Security 2020-07-30 21:06:17 UTC
(In reply to Rolf Eike Beer from comment #11)
> Ups, sorry.

No worries. 

Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2020-07-30 21:15:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0471b2367f4fa7a9f12bf333178b4f7e33f90

commit 8bd0471b2367f4fa7a9f12bf333178b4f7e33f90
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-07-30 21:15:03 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-07-30 21:15:33 +0000

    net-libs/libetpan: Security cleanup
    
    Bug: https://bugs.gentoo.org/734130
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/libetpan/Manifest                         |  1 -
 .../files/libetpan-1.9.3-missing-stddev_h.patch    | 30 ---------
 net-libs/libetpan/libetpan-1.9.3.ebuild            | 77 ----------------------
 net-libs/libetpan/libetpan-1.9.4.ebuild            | 77 ----------------------
 4 files changed, 185 deletions(-)
Comment 14 Sam James gentoo-dev Security 2020-07-30 21:17:25 UTC
Thanks everyone! All done, closing.