Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 808528 (CVE-2021-38372) - mail-client/trojita: STARTTLS vulnerability (CVE-2021-38372)
Summary: mail-client/trojita: STARTTLS vulnerability (CVE-2021-38372)
Status: RESOLVED FIXED
Alias: CVE-2021-38372
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugs.kde.org/show_bug.cgi?id=...
Whiteboard: B4 [noglsa]
Keywords: PMASKED
Depends on: 685750
Blocks: 807352
  Show dependency tree
 
Reported: 2021-08-16 00:25 UTC by Sam James
Modified: 2023-06-11 18:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-16 00:25:38 UTC 
Description:
"In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS."
Comment 1 Larry the Git Cow gentoo-dev 2021-10-05 07:39:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9df4995d2d5ddf1fa053e266a0636c1eb3784afc

commit 9df4995d2d5ddf1fa053e266a0636c1eb3784afc
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2021-10-05 06:48:47 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2021-10-05 07:36:49 +0000

    mail-client/trojita: treeclean
    
    Bug: https://bugs.gentoo.org/685750
    Bug: https://bugs.gentoo.org/808528
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 mail-client/trojita/Manifest                       |   1 -
 .../trojita/files/trojita-0.7-CVE-2019-10734.patch | 104 -----------
 .../trojita/files/trojita-0.7-CVE-2020-15047.patch |  82 --------
 .../trojita/files/trojita-0.7-cmake-cxx11.patch    |  66 -------
 .../files/trojita-0.7-crash-w-attachments.patch    |  68 -------
 .../files/trojita-0.7-desktop-spec-namespace.patch |  57 ------
 .../trojita/files/trojita-0.7-gpg-tests.patch      |  27 ---
 mail-client/trojita/files/trojita-0.7-gpgme.patch  |  34 ----
 .../trojita/files/trojita-0.7-metainfo.patch       |  26 ---
 .../trojita/files/trojita-0.7-qt-5.11b3.patch      | 207 ---------------------
 .../trojita/files/trojita-0.7-qt-5.13.patch        |  37 ----
 .../trojita/files/trojita-0.7-qt-5.15.patch        |  28 ---
 mail-client/trojita/metadata.xml                   |  23 ---
 mail-client/trojita/trojita-0.7-r6.ebuild          |  90 ---------
 mail-client/trojita/trojita-9999.ebuild            |  81 --------
 profiles/package.mask                              |   5 -
 16 files changed, 936 deletions(-)
Comment 2 Andreas Sturmlechner gentoo-dev 2021-11-05 17:27:51 UTC 
This package is gone, see above commit, kde proj out.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-11 18:58:26 UTC 
Low impact so no GLSA, all done!