diff --git a/SOURCES/evolution-data-server-3.28.5-CVE-2020-14928.patch b/SOURCES/evolution-data-server-3.28.5-CVE-2020-14928.patch new file mode 100644 index 0000000..a587ba3 --- /dev/null +++ b/SOURCES/evolution-data-server-3.28.5-CVE-2020-14928.patch @@ -0,0 +1,91 @@ +diff -up evolution-data-server-3.28.5/src/camel/camel-stream-buffer.c.CVE-2020-14928 evolution-data-server-3.28.5/src/camel/camel-stream-buffer.c +--- evolution-data-server-3.28.5/src/camel/camel-stream-buffer.c.CVE-2020-14928 2018-07-30 15:17:06.000000000 +0200 ++++ evolution-data-server-3.28.5/src/camel/camel-stream-buffer.c 2020-07-23 10:26:57.962555350 +0200 +@@ -524,3 +524,22 @@ camel_stream_buffer_read_line (CamelStre + + return g_strdup ((gchar *) sbf->priv->linebuf); + } ++ ++/* ++ * camel_stream_buffer_discard_cache: ++ * @sbf: a #CamelStreamBuffer ++ * ++ * Discards any cached data in the @sbf. The next read reads ++ * from the stream. ++ * ++ * Since: 3.28.5-14 ++ */ ++void ++camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf) ++{ ++ g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf)); ++ ++ sbf->priv->ptr = sbf->priv->buf; ++ sbf->priv->end = sbf->priv->buf; ++ sbf->priv->ptr[0] = '\0'; ++} +diff -up evolution-data-server-3.28.5/src/camel/camel-stream-buffer.h.CVE-2020-14928 evolution-data-server-3.28.5/src/camel/camel-stream-buffer.h +--- evolution-data-server-3.28.5/src/camel/camel-stream-buffer.h.CVE-2020-14928 2018-07-30 15:17:06.000000000 +0200 ++++ evolution-data-server-3.28.5/src/camel/camel-stream-buffer.h 2020-07-23 10:26:57.963555348 +0200 +@@ -93,6 +93,8 @@ gint camel_stream_buffer_gets (CamelStr + gchar * camel_stream_buffer_read_line (CamelStreamBuffer *sbf, + GCancellable *cancellable, + GError **error); ++void camel_stream_buffer_discard_cache ++ (CamelStreamBuffer *sbf); + + G_END_DECLS + +diff -up evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-store.c.CVE-2020-14928 evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-store.c +--- evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-store.c.CVE-2020-14928 2018-07-30 15:17:06.000000000 +0200 ++++ evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-store.c 2020-07-23 10:26:57.963555348 +0200 +@@ -208,6 +208,8 @@ connect_to_server (CamelService *service + + if (tls_stream != NULL) { + camel_stream_set_base_stream (stream, tls_stream); ++ /* Truncate any left cached input from the insecure part of the session */ ++ camel_pop3_stream_discard_cache (pop3_engine->stream); + g_object_unref (tls_stream); + } else { + g_prefix_error ( +diff -up evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.c.CVE-2020-14928 evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.c +--- evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.c.CVE-2020-14928 2018-07-30 15:17:06.000000000 +0200 ++++ evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.c 2020-07-23 10:26:57.963555348 +0200 +@@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream + + return 1; + } ++ ++void ++camel_pop3_stream_discard_cache (CamelPOP3Stream *is) ++{ ++ if (is) { ++ is->ptr = is->end = is->buf; ++ is->lineptr = is->linebuf; ++ is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE; ++ is->ptr[0] = '\n'; ++ } ++} +diff -up evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.h.CVE-2020-14928 evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.h +--- evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.h.CVE-2020-14928 2018-07-30 15:17:06.000000000 +0200 ++++ evolution-data-server-3.28.5/src/camel/providers/pop3/camel-pop3-stream.h 2020-07-23 10:26:57.963555348 +0200 +@@ -87,6 +87,7 @@ gint camel_pop3_stream_getd (CamelPOP3 + guint *len, + GCancellable *cancellable, + GError **error); ++void camel_pop3_stream_discard_cache (CamelPOP3Stream *is); + + G_END_DECLS + +diff -up evolution-data-server-3.28.5/src/camel/providers/smtp/camel-smtp-transport.c.CVE-2020-14928 evolution-data-server-3.28.5/src/camel/providers/smtp/camel-smtp-transport.c +--- evolution-data-server-3.28.5/src/camel/providers/smtp/camel-smtp-transport.c.CVE-2020-14928 2018-07-30 15:17:06.000000000 +0200 ++++ evolution-data-server-3.28.5/src/camel/providers/smtp/camel-smtp-transport.c 2020-07-23 10:26:57.963555348 +0200 +@@ -319,6 +319,8 @@ connect_to_server (CamelService *service + + if (tls_stream != NULL) { + camel_stream_set_base_stream (stream, tls_stream); ++ /* Truncate any left cached input from the insecure part of the session */ ++ camel_stream_buffer_discard_cache (transport->istream); + g_object_unref (tls_stream); + } else { + g_prefix_error ( diff --git a/SOURCES/evolution-data-server-3.28.5-CVE-2020-16117.patch b/SOURCES/evolution-data-server-3.28.5-CVE-2020-16117.patch new file mode 100644 index 0000000..6b656f8 --- /dev/null +++ b/SOURCES/evolution-data-server-3.28.5-CVE-2020-16117.patch @@ -0,0 +1,13 @@ +diff -up evolution-data-server-3.28.5/src/camel/providers/imapx/camel-imapx-server.c.CVE-2020-16117 evolution-data-server-3.28.5/src/camel/providers/imapx/camel-imapx-server.c +--- evolution-data-server-3.28.5/src/camel/providers/imapx/camel-imapx-server.c.CVE-2020-16117 2018-07-30 15:17:06.000000000 +0200 ++++ evolution-data-server-3.28.5/src/camel/providers/imapx/camel-imapx-server.c 2020-09-30 09:10:32.240788043 +0200 +@@ -2979,7 +2979,8 @@ connected: + + /* See if we got new capabilities + * in the STARTTLS response. */ +- imapx_free_capability (is->priv->cinfo); ++ if (is->priv->cinfo) ++ imapx_free_capability (is->priv->cinfo); + is->priv->cinfo = NULL; + if (ic->status->condition == IMAPX_CAPABILITY) { + is->priv->cinfo = ic->status->u.cinfo; diff --git a/SPECS/evolution-data-server.spec b/SPECS/evolution-data-server.spec index d4c076f..55cb1ec 100644 --- a/SPECS/evolution-data-server.spec +++ b/SPECS/evolution-data-server.spec @@ -32,7 +32,7 @@ Name: evolution-data-server Version: 3.28.5 -Release: 13%{?dist} +Release: 15%{?dist} Group: System Environment/Libraries Summary: Backend data server for Evolution License: LGPLv2+ @@ -82,6 +82,12 @@ Patch09: evolution-data-server-3.28.5-delay-new-module-load.patch # RH bug #1791547 Patch10: evolution-data-server-3.28.5-test-cal-meta-backend-without-evolution.patch +# RH bug #1859141 +Patch11: evolution-data-server-3.28.5-CVE-2020-14928.patch + +# RH bug #1862403 +Patch12: evolution-data-server-3.28.5-CVE-2020-16117.patch + ### Dependencies ### Requires: dconf @@ -211,6 +217,8 @@ the functionality of the installed %{name} package. %patch08 -p1 -b .cve-2019-3890 %patch09 -p1 -b .delay-new-module-load %patch10 -p1 -b .test-cal-meta-backend-without-evolution +%patch11 -p1 -b .CVE-2020-14928 +%patch12 -p1 -b .CVE-2020-16117 %build @@ -472,6 +480,12 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &>/dev/null || : %{_datadir}/installed-tests %changelog +* Wed Sep 30 2020 Milan Crha - 3.28.5-15 +- Resolves: #1862403 (CVE-2020-16117: Crash on malformed server response with minimal capabilities) + +* Thu Jul 23 2020 Milan Crha - 3.28.5-14 +- Resolves: #1859141 (CVE-2020-14928: Response Injection via STARTTLS in SMTP and POP3) + * Thu Jan 16 2020 Milan Crha - 3.28.5-13 - Resolves: #1791547 (test-cal-meta-backend cannot run without installed Evolution)