diff --git a/libetpan-1.9.2-cryptopolicy.patch b/libetpan-1.9.2-cryptopolicy.patch new file mode 100644 index 0000000..34e2dba --- /dev/null +++ b/libetpan-1.9.2-cryptopolicy.patch @@ -0,0 +1,11 @@ +diff -Naur libetpan-1.9.2-orig/src/data-types/mailstream_ssl.c libetpan-1.9.2/src/data-types/mailstream_ssl.c +--- libetpan-1.9.2-orig/src/data-types/mailstream_ssl.c 2018-12-18 00:18:48.000000000 +0100 ++++ libetpan-1.9.2/src/data-types/mailstream_ssl.c 2018-12-24 20:12:06.870080101 +0100 +@@ -622,7 +622,6 @@ + gnutls_certificate_set_retrieve_function(xcred, mailstream_gnutls_client_cert_cb); + #endif + gnutls_set_default_priority(session); +- gnutls_priority_set_direct(session, "NORMAL", NULL); + + gnutls_record_disable_padding(session); + gnutls_dh_set_prime_bits(session, 512); diff --git a/libetpan-1.9.4-0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch b/libetpan-1.9.4-0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch new file mode 100644 index 0000000..d889378 --- /dev/null +++ b/libetpan-1.9.4-0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch @@ -0,0 +1,30 @@ +From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001 +From: Damian Poddebniak +Date: Fri, 24 Jul 2020 19:39:53 +0200 +Subject: [PATCH 1/2] Detect extra data after STARTTLS response and exit (#387) + +--- + src/low-level/imap/mailimap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c +index bb17119..4ffcf55 100644 +--- a/src/low-level/imap/mailimap.c ++++ b/src/low-level/imap/mailimap.c +@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session) + + mailimap_response_free(response); + ++ // Detect if the server send extra data after the STARTTLS response. ++ // This *may* be a "response injection attack". ++ if (session->imap_stream->read_buffer_len != 0) { ++ // Since it is also an IMAP protocol violation, exit. ++ return MAILIMAP_ERROR_STARTTLS; ++ } ++ + switch (error_code) { + case MAILIMAP_RESP_COND_STATE_OK: + return MAILIMAP_NO_ERROR; +-- +2.26.2 + diff --git a/libetpan-1.9.4-0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch b/libetpan-1.9.4-0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch new file mode 100644 index 0000000..a39f2cb --- /dev/null +++ b/libetpan-1.9.4-0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch @@ -0,0 +1,55 @@ +From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001 +From: Fabian Ising +Date: Fri, 24 Jul 2020 19:40:48 +0200 +Subject: [PATCH 2/2] Detect extra data after STARTTLS responses in SMTP and + POP3 and exit (#388) + +* Detect extra data after STLS response and return error + +* Detect extra data after SMTP STARTTLS response and return error +--- + src/low-level/pop3/mailpop3.c | 8 ++++++++ + src/low-level/smtp/mailsmtp.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c +index ab9535b..e2124bf 100644 +--- a/src/low-level/pop3/mailpop3.c ++++ b/src/low-level/pop3/mailpop3.c +@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f) + + if (r != RESPONSE_OK) + return MAILPOP3_ERROR_STLS_NOT_SUPPORTED; ++ ++ // Detect if the server send extra data after the STLS response. ++ // This *may* be a "response injection attack". ++ if (f->pop3_stream->read_buffer_len != 0) { ++ // Since it is also protocol violation, exit. ++ // There is no error type for STARTTLS errors in POP3 ++ return MAILPOP3_ERROR_SSL; ++ } + + return MAILPOP3_NO_ERROR; + } +diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c +index b7fc459..3145cad 100644 +--- a/src/low-level/smtp/mailsmtp.c ++++ b/src/low-level/smtp/mailsmtp.c +@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session) + return MAILSMTP_ERROR_STREAM; + r = read_response(session); + ++ // Detect if the server send extra data after the STARTTLS response. ++ // This *may* be a "response injection attack". ++ if (session->stream->read_buffer_len != 0) { ++ // Since it is also protocol violation, exit. ++ // There is no general error type for STARTTLS errors in SMTP ++ return MAILSMTP_ERROR_SSL; ++ } ++ + switch (r) { + case 220: + return MAILSMTP_NO_ERROR; +-- +2.26.2 + diff --git a/libetpan-1.9.4.tar.gz b/libetpan-1.9.4.tar.gz new file mode 100644 index 0000000..770daee Binary files /dev/null and b/libetpan-1.9.4.tar.gz differ diff --git a/libetpan.spec b/libetpan.spec new file mode 100644 index 0000000..48f89fd --- /dev/null +++ b/libetpan.spec @@ -0,0 +1,101 @@ +Name: libetpan +Version: 1.9.4 +Release: 6 +Summary: Portable, efficient middle-ware for different kinds of mail access + +License: BSD +URL: http://www.etpan.org/ +Source0: https://github.com/dinhviethoa/%{name}/archive/%{version}/%{name}-%{version}.tar.gz +# system crypto policy (see rhbz#1179310) +Patch10: libetpan-1.9.2-cryptopolicy.patch +# Upstream patches +# +# CVE-2020-15953 +# https://github.com/dinhvh/libetpan/issues/386 +# Detect extra data after STARTTLS response and exit +# https://github.com/dinhvh/libetpan/pull/387 +Patch101: libetpan-1.9.4-0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch +# Detect extra data after STARTTLS responses in SMTP and POP3 and exit +# https://github.com/dinhvh/libetpan/pull/388 +Patch102: libetpan-1.9.4-0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch + +BuildRequires: gcc-c++ +BuildRequires: liblockfile-devel +BuildRequires: libdb-devel < 5.4 +BuildRequires: cyrus-sasl-devel +BuildRequires: gnutls-devel +BuildRequires: libtool +BuildRequires: zlib-devel +BuildRequires: autoconf automake +BuildRequires: make +# disabled by default in configure.ac accidentally +# https://github.com/dinhviethoa/libetpan/issues/221 +# libcurl and libexpat not needed by Claws Mail: +# http://lists.claws-mail.org/pipermail/users/2016-January/015665.html +#BuildRequires: libcurl-devel expat-devel + +%description +The purpose of this mail library is to provide a portable, efficient middle-ware +for different kinds of mail access. When using the drivers interface, the +interface is the same for all kinds of mail access, remote and local mailboxes. + +%package devel +Summary: Development package for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains the files needed for development +with %{name}. + +%prep +%setup -q + +#%patch0 -b .libetpan-config-script +sed -i.flags libetpan.pc.in \ + -e 's|-letpan@LIBSUFFIX@.*$|-letpan@LIBSUFFIX@|' +%patch10 -p1 -b .crypto-policy +%patch101 -p1 -b .CVE-2020-15953-1 +%patch102 -p1 -b .CVE-2020-15953-2 + +# 2013-08-05 F20 development, bz 992070: The configure scripts adds some +# extra libs to the GnuTLS link options, which cause rebuilds to fail, since +# gnutls-devel no longer pulls in libgcrypt-devel libgpg-error-devel +# [The alternative fix is to BR those packages, of course.] +grep 'GNUTLSLIB="-lgnutls -lgcrypt -lgpg-error -lz"' configure.ac || exit -1 +sed -i '\@GNUTLSLIB=@s!-lgcrypt -lgpg-error -lz!!g' configure.ac + +env NOCONFIGURE=1 ./autogen.sh + +%build +#%global optflags %(echo %{optflags} | sed 's/-g /-g -Wno-format-truncation /') +%configure --disable-static --with-gnutls=yes --with-openssl=no +make LIBTOOL=%{_bindir}/libtool %{?_smp_mflags} + +cd doc +make doc + +%install +make install DESTDIR=$RPM_BUILD_ROOT + +rm -rf $RPM_BUILD_ROOT%{_libdir}/libetpan.{,l}a + +iconv -f iso8859-1 -t utf-8 ChangeLog > ChangeLog.conv && mv -f ChangeLog.conv ChangeLog + +%ldconfig_scriptlets + +%files +%license COPYRIGHT +%doc ChangeLog NEWS +%{_libdir}/%{name}.so.20 +%{_libdir}/%{name}.so.20.* + +%files devel +%doc doc/API.html doc/README.html doc/DOCUMENTATION +%{_libdir}/pkgconfig/%{name}.pc +%{_includedir}/libetpan/ +%{_includedir}/libetpan.h +%{_libdir}/%{name}.so + +%changelog +* Wen Sep 22 2021 douyan - 1.9.4-6 +- Init package for openEuler \ No newline at end of file