From 755a16adf9bf1b8d8e67b06eb8c2c1fcb65756bb Mon Sep 17 00:00:00 2001
From: starlet_dx <15929766099@163.com>
Date: Fri, 23 Jul 2021 15:18:11 +0800
Subject: [PATCH] fix CVE-2020-14093

---
 CVE-2020-14093.patch | 53 ++++++++++++++++++++++++++++++++++++++++++++
 mutt.spec            |  6 ++++-
 2 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-14093.patch

diff --git a/CVE-2020-14093.patch b/CVE-2020-14093.patch
new file mode 100644
index 0000000..b85629d
--- /dev/null
+++ b/CVE-2020-14093.patch
@@ -0,0 +1,53 @@
+From 3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 14 Jun 2020 11:30:00 -0700
+Subject: [PATCH] Prevent possible IMAP MITM via PREAUTH response.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is similar to CVE-2014-2567 and CVE-2020-12398.  STARTTLS is not
+allowed in the Authenticated state, so previously Mutt would
+implicitly mark the connection as authenticated and skip any
+encryption checking/enabling.
+
+No credentials are exposed, but it does allow messages to be sent to
+an attacker, via postpone or fcc'ing for instance.
+
+Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the
+connection if it is unencrypted.
+
+Thanks very much to Damian Poddebniak and Fabian Ising from the
+Münster University of Applied Sciences for reporting this issue, and
+their help in testing the fix.
+---
+ imap/imap.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/imap/imap.c b/imap/imap.c
+index 63362176..3ca10df4 100644
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -493,6 +493,22 @@ int imap_open_connection (IMAP_DATA* idata)
+   }
+   else if (ascii_strncasecmp ("* PREAUTH", idata->buf, 9) == 0)
+   {
++#if defined(USE_SSL)
++    /* An unencrypted PREAUTH response is most likely a MITM attack.
++     * Require a confirmation. */
++    if (!idata->conn->ssf)
++    {
++      if (option(OPTSSLFORCETLS) ||
++          (query_quadoption (OPT_SSLSTARTTLS,
++                             _("Abort unencrypted PREAUTH connection?")) != MUTT_NO))
++      {
++        mutt_error _("Encrypted connection unavailable");
++        mutt_sleep (1);
++        goto err_close_conn;
++      }
++    }
++#endif
++
+     idata->state = IMAP_AUTHENTICATED;
+     if (imap_check_capabilities (idata) != 0)
+       goto bail;
diff --git a/mutt.spec b/mutt.spec
index 07d58f5..8c4080c 100644
--- a/mutt.spec
+++ b/mutt.spec
@@ -1,6 +1,6 @@
 Name:           mutt
 Version:        1.10.1
-Release:        4
+Release:        5
 Epoch:          5
 Summary:        Text-based mail client
 License:        GPLv2+ and Public Domain
@@ -17,6 +17,7 @@ Patch8:         mutt-1.5.23-system_certs.patch
 Patch9:         mutt-1.9.0-ssl_ciphers.patch
 Patch13:        CVE-2020-28896.patch
 Patch14:        CVE-2021-3181.patch
+Patch15:        CVE-2020-14093.patch
 
 BuildRequires:  gcc ncurses-devel gettext automake /usr/bin/xsltproc
 BuildRequires:  lynx docbook-style-xsl perl-interpreter perl-generators
@@ -121,6 +122,9 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
 %{_mandir}/man5/muttrc.*
 
 %changelog
+* Fri Jul 23 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-5
+- fix CVE-2020-14093
+
 * Sat Feb 20 2021 zhanghua<zhanghua40@huawei.com> - 1.10.1-4
 - fix CVE-2021-3181