packages/mutt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!24 fix CVE-2020-14093

Browse Source 
From: @wang_yue111
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-07-27 09:25:26 +00:00 committed by Gitee
commit e67a82bb0b
3 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
CVE-2020-14093.patch → backport-CVE-2020-14093-1.patch
View File

28
backport-CVE-2020-14093-2.patch Normal file
View File

@ -0,0 +1,28 @@
From bfb4ba6e6e742d3ca1a23697228fdddc957819a6 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sat, 20 Jun 2020 06:35:35 -0700
Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use.
$tunnel is used to create an external encrypted connection. The default of $ssl_starttls is yes, meaning those kinds of connections will be broken by the CVE-2020-14093 fix.
---
imap/imap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/imap/imap.c b/imap/imap.c
index 17d1411..a41ed46 100644
--- a/imap/imap.c
+++ b/imap/imap.c
@@ -495,8 +495,8 @@ int imap_open_connection (IMAP_DATA* idata)
{
#if defined(USE_SSL)
/* An unencrypted PREAUTH response is most likely a MITM attack.
- * Require a confirmation. */
- if (!idata->conn->ssf)
+ * Require a confirmation unless using $tunnel. */
+ if (!idata->conn->ssf && !Tunnel)
{
if (option(OPTSSLFORCETLS) ||
(query_quadoption (OPT_SSLSTARTTLS,
--
2.23.0

8
mutt.spec
View File

@ -1,6 +1,6 @@
Name: mutt Name: mutt
Version: 1.10.1 Version: 1.10.1
Release: 5 Release: 6
Epoch: 5 Epoch: 5
Summary: Text-based mail client Summary: Text-based mail client
License: GPLv2+ and Public Domain License: GPLv2+ and Public Domain
@ -17,7 +17,8 @@ Patch8: mutt-1.5.23-system_certs.patch
Patch9: mutt-1.9.0-ssl_ciphers.patch Patch9: mutt-1.9.0-ssl_ciphers.patch
Patch13: CVE-2020-28896.patch Patch13: CVE-2020-28896.patch
Patch14: CVE-2021-3181.patch Patch14: CVE-2021-3181.patch
Patch15: CVE-2020-14093.patch Patch15: backport-CVE-2020-14093-1.patch
Patch16: backport-CVE-2020-14093-2.patch
BuildRequires: gcc ncurses-devel gettext automake /usr/bin/xsltproc BuildRequires: gcc ncurses-devel gettext automake /usr/bin/xsltproc
BuildRequires: lynx docbook-style-xsl perl-interpreter perl-generators BuildRequires: lynx docbook-style-xsl perl-interpreter perl-generators
@ -122,6 +123,9 @@ ln -sf ./muttrc.5 %{buildroot}%{_mandir}/man5/muttrc.local.5
%{_mandir}/man5/muttrc.* %{_mandir}/man5/muttrc.*
%changelog %changelog
- Tue Jul 27 2021 wangyue<wangyue92@huawei.com> - 1.10.1-6
- fix CVE-2020-14093
* Fri Jul 23 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-5 * Fri Jul 23 2021 yaoxin<yaoxin30@huawei.com> - 1.10.1-5
- fix CVE-2020-14093 - fix CVE-2020-14093