Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739174 (CVE-2020-24661) - <mail-client/geary-3.36.3.1: Invalid TLS certificate handling (CVE-2020-24661)
Summary: <mail-client/geary-3.36.3.1: Invalid TLS certificate handling (CVE-2020-24661)
Status: RESOLVED FIXED
Alias: CVE-2020-24661
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/geary/...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks: 807352
  Show dependency tree
 
Reported: 2020-08-27 01:05 UTC by Sam James
Modified: 2021-08-10 01:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-08-27 01:05:21 UTC
Description:
"GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail."

3.36.3.1, 3.37.91 just got released with the fix.
Comment 1 Larry the Git Cow gentoo-dev 2020-08-29 08:27:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d23fe4045be61ae9fdb084b7ad0e8f035bf5e8a

commit 0d23fe4045be61ae9fdb084b7ad0e8f035bf5e8a
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-29 08:26:53 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-29 08:27:25 +0000

    mail-client/geary: security cleanup
    
    Bug: https://bugs.gentoo.org/739174
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 mail-client/geary/Manifest            |  1 -
 mail-client/geary/geary-3.36.2.ebuild | 98 -----------------------------------
 2 files changed, 99 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=498eeae0f6432454823cfda9225edd5e93fd8676

commit 498eeae0f6432454823cfda9225edd5e93fd8676
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-29 08:12:54 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-29 08:27:25 +0000

    mail-client/geary: security bump to 3.36.3.1
    
    Bug: https://bugs.gentoo.org/739174
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 mail-client/geary/Manifest              |  1 +
 mail-client/geary/geary-3.36.3.1.ebuild | 99 +++++++++++++++++++++++++++++++++
 2 files changed, 100 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2020-08-29 13:06:45 UTC
noglsa b/c ~ so closing, thanks!