Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734130 (CVE-2020-15953) - <net-libs/libetpan-1.9.4-r1: Information disclosure via TLS mishandling (CVE-2020-15953)
Summary: <net-libs/libetpan-1.9.4-r1: Information disclosure via TLS mishandling (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2020-15953
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/dinhvh/libetpan/is...
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on:
Blocks: 807352
  Show dependency tree
 
Reported: 2020-07-27 18:18 UTC by John Helmert III
Modified: 2021-08-10 01:49 UTC (History)
1 user (show)

See Also:
Package list:
=net-libs/libetpan-1.9.4-r1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 18:18:13 UTC 
CVE-2020-15953:

LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."



There appears to be a patch: https://github.com/dinhvh/libetpan/pull/388
Comment 1 Larry the Git Cow gentoo-dev 2020-07-27 18:30:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66

commit d7fe2e20aa1d6cecd9b076e4f0bbe06911576c66
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-07-27 18:29:18 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-07-27 18:30:34 +0000

    net-libs/libetpan: Security revbump to fix CVE-2020-15953
    
    Bug: https://bugs.gentoo.org/734130
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../files/libetpan-1.9.4-CVE-2020-15953.patch      | 86 ++++++++++++++++++++++
 net-libs/libetpan/libetpan-1.9.4-r1.ebuild         | 78 ++++++++++++++++++++
 2 files changed, 164 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 22:44:19 UTC 
GLSA vote: yes
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 23:22:44 UTC 
x86 stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 23:22:56 UTC 
amd64 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:42:50 UTC 
This issue was resolved and addressed in
 GLSA 202007-55 at https://security.gentoo.org/glsa/202007-55
by GLSA coordinator Sam James (sam_c).
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-28 19:44:47 UTC 
Reopening for remaining arches.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 05:39:53 UTC 
sparc stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 16:22:34 UTC 
ppc64 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 16:23:40 UTC 
ppc stable
Comment 10 Rolf Eike Beer archtester 2020-07-30 21:05:12 UTC 
hppa stable. Last arch, closing.
Comment 11 Rolf Eike Beer archtester 2020-07-30 21:05:34 UTC 
Ups, sorry.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-30 21:06:17 UTC 
(In reply to Rolf Eike Beer from comment #11)
> Ups, sorry.

No worries. 

Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2020-07-30 21:15:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0471b2367f4fa7a9f12bf333178b4f7e33f90

commit 8bd0471b2367f4fa7a9f12bf333178b4f7e33f90
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-07-30 21:15:03 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-07-30 21:15:33 +0000

    net-libs/libetpan: Security cleanup
    
    Bug: https://bugs.gentoo.org/734130
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/libetpan/Manifest                         |  1 -
 .../files/libetpan-1.9.3-missing-stddev_h.patch    | 30 ---------
 net-libs/libetpan/libetpan-1.9.3.ebuild            | 77 ----------------------
 net-libs/libetpan/libetpan-1.9.4.ebuild            | 77 ----------------------
 4 files changed, 185 deletions(-)
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-30 21:17:25 UTC 
Thanks everyone! All done, closing.