python-aiosmtpd/CVE-2024-34083.patch

From 0360116a634a842b2bbe93528284679587a7c6c2 Mon Sep 17 00:00:00 2001
From: Arusekk <Arusekk@aio-libs>
Date: Mon, 20 May 2024 08:57:18 +0800
Subject: [PATCH] CVE-2024-34083

---
 aiosmtpd/docs/NEWS.rst | 5 +++++
 aiosmtpd/smtp.py       | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/aiosmtpd/docs/NEWS.rst b/aiosmtpd/docs/NEWS.rst
index 875ead0..fa8089b 100644
--- a/aiosmtpd/docs/NEWS.rst
+++ b/aiosmtpd/docs/NEWS.rst
@@ -15,6 +15,11 @@ Fixed/Improved
 * All Controllers now have more rationale design, as they are now composited from a Base + a Mixin
 * A whole bunch of annotations
 
+1.4.6 (2024-05-06)
+==================
+
+* STARTTLS is now fully enforced if used.
+
 
 1.4.4 (2023-01-17)
 ==================
diff --git a/aiosmtpd/smtp.py b/aiosmtpd/smtp.py
index 09c85bf..8a20d13 100644
--- a/aiosmtpd/smtp.py
+++ b/aiosmtpd/smtp.py
@@ -504,6 +504,9 @@ class SMTP(asyncio.StreamReaderProtocol):
             self._reader._transport = transport
             self._writer._transport = transport
             self.transport = transport
+            # Discard any leftover unencrypted data
+            # See https://tools.ietf.org/html/rfc3207#page-7
+            self._reader._buffer.clear()  # type: ignore[attr-defined]
             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
             # _extra a protected attribute?
             self.session.ssl = self._tls_protocol._extra
-- 
2.27.0
Fix CVE-2024-34083 (cherry picked from commit 343793bcda86d5f48a160a44d0e666c96f06445a) 2024-05-20 09:04:09 +08:00			`From 0360116a634a842b2bbe93528284679587a7c6c2 Mon Sep 17 00:00:00 2001`
			`From: Arusekk <Arusekk@aio-libs>`
			`Date: Mon, 20 May 2024 08:57:18 +0800`
			`Subject: [PATCH] CVE-2024-34083`

			`---`
			`aiosmtpd/docs/NEWS.rst \| 5 +++++`
			`aiosmtpd/smtp.py \| 3 +++`
			`2 files changed, 8 insertions(+)`

			`diff --git a/aiosmtpd/docs/NEWS.rst b/aiosmtpd/docs/NEWS.rst`
			`index 875ead0..fa8089b 100644`
			`--- a/aiosmtpd/docs/NEWS.rst`
			`+++ b/aiosmtpd/docs/NEWS.rst`
			`@@ -15,6 +15,11 @@ Fixed/Improved`
			`* All Controllers now have more rationale design, as they are now composited from a Base + a Mixin`
			`* A whole bunch of annotations`

			`+1.4.6 (2024-05-06)`
			`+==================`
			`+`
			`+* STARTTLS is now fully enforced if used.`
			`+`

			`1.4.4 (2023-01-17)`
			`==================`
			`diff --git a/aiosmtpd/smtp.py b/aiosmtpd/smtp.py`
			`index 09c85bf..8a20d13 100644`
			`--- a/aiosmtpd/smtp.py`
			`+++ b/aiosmtpd/smtp.py`
			`@@ -504,6 +504,9 @@ class SMTP(asyncio.StreamReaderProtocol):`
			`self._reader._transport = transport`
			`self._writer._transport = transport`
			`self.transport = transport`
			`+ # Discard any leftover unencrypted data`
			`+ # See https://tools.ietf.org/html/rfc3207#page-7`
			`+ self._reader._buffer.clear() # type: ignore[attr-defined]`
			`# Do SSL certificate checking as rfc3207 part 4.1 says. Why is`
			`# _extra a protected attribute?`
			`self.session.ssl = self._tls_protocol._extra`
			`--`
			`2.27.0`