From f6b8c8ff1924324b5ae18ea879086deec396c9e5 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Mon, 12 Oct 2020 15:22:28 +0000
Subject: community/libetpan: backport fix for CVE-2020-15953

ref #11869
---
 community/libetpan/APKBUILD             |  6 ++-
 community/libetpan/CVE-2020-15953.patch | 79 +++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 2 deletions(-)
 create mode 100644 community/libetpan/CVE-2020-15953.patch

diff --git a/community/libetpan/APKBUILD b/community/libetpan/APKBUILD
index 7fe5581258..1da27ac5ed 100644
--- a/community/libetpan/APKBUILD
+++ b/community/libetpan/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libetpan
 pkgver=1.9.4
-pkgrel=0
+pkgrel=1
 pkgdesc="a portable middleware for email access"
 url="http://www.etpan.org/"
 arch="all"
@@ -12,6 +12,7 @@ makedepends="cyrus-sasl-dev curl-dev expat-dev gnutls-dev libgcrypt-dev
 depends_dev="cyrus-sasl-dev"
 source="libetpan-$pkgver.tar.gz::https://github.com/dinhviethoa/libetpan/archive/$pkgver.tar.gz
 	fix-build.patch
+	CVE-2020-15953.patch
 	"
 
 prepare() {
@@ -43,4 +44,5 @@ package() {
 }
 
 sha512sums="7b7047d084fb4ce0c91821c2ad78e921d6d009106851afb7f5b068713c84ebe6926f6bf7a7423f263eeebef617511e44f6b65448d892bbc058c447235fd55c0f  libetpan-1.9.4.tar.gz
-85d0be0b1a57cb5865a6802c01c9f4fe3e4e32b06929a9c7f688be6f2115a2f6ea8229fd637f83d1376925939b7112bcb6704a9bd79206bf821c32f06747e6c9  fix-build.patch"
+85d0be0b1a57cb5865a6802c01c9f4fe3e4e32b06929a9c7f688be6f2115a2f6ea8229fd637f83d1376925939b7112bcb6704a9bd79206bf821c32f06747e6c9  fix-build.patch
+4430fb1172944b48a379feb9d716d6d8594819206daabcd2c00dbdd07fa4598a213161d97073f1e5cacab08921263c938bbf40c1ba9080436a5dba4a17dcfd79  CVE-2020-15953.patch"
diff --git a/community/libetpan/CVE-2020-15953.patch b/community/libetpan/CVE-2020-15953.patch
new file mode 100644
index 0000000000..e02b000aad
--- /dev/null
+++ b/community/libetpan/CVE-2020-15953.patch
@@ -0,0 +1,79 @@
+From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: [PATCH] Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index bb17119d..4ffcf55d 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
+ 
+   mailimap_response_free(response);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->imap_stream->read_buffer_len != 0) {
++      // Since it is also an IMAP protocol violation, exit.
++      return MAILIMAP_ERROR_STARTTLS;
++  }
++
+   switch (error_code) {
+   case MAILIMAP_RESP_COND_STATE_OK:
+     return MAILIMAP_NO_ERROR;
+From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: [PATCH] Detect extra data after STARTTLS responses in SMTP and POP3
+ and exit (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535be..e2124bf8 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+ 
+   if (r != RESPONSE_OK)
+     return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++  // Detect if the server send extra data after the STLS response.
++  // This *may* be a "response injection attack".
++  if (f->pop3_stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no error type for STARTTLS errors in POP3
++    return MAILPOP3_ERROR_SSL;
++  }
+   
+   return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index b7fc459e..3145cadf 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
+     return MAILSMTP_ERROR_STREAM;
+   r = read_response(session);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no general error type for STARTTLS errors in SMTP
++    return MAILSMTP_ERROR_SSL;
++  }
++
+   switch (r) {
+   case 220:
+     return MAILSMTP_NO_ERROR;
-- 
cgit v1.2.3