NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b442ccb43e
kumquat-buildroot/package/mutt/0003-Prevent-possible-IMAP-MITM-via-PREAUTH-response.patch
Fabrice Fontaine 439679e836 package/mutt: fix CVE-2020-14093 
Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack
via a PREAUTH response.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6756a3504c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-15 23:21:34 +02:00

61 lines
1.9 KiB
Diff
Raw Blame History

From 3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 14 Jun 2020 11:30:00 -0700
Subject: [PATCH] Prevent possible IMAP MITM via PREAUTH response.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is similar to CVE-2014-2567 and CVE-2020-12398. STARTTLS is not
allowed in the Authenticated state, so previously Mutt would
implicitly mark the connection as authenticated and skip any
encryption checking/enabling.
No credentials are exposed, but it does allow messages to be sent to
an attacker, via postpone or fcc'ing for instance.
Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the
connection if it is unencrypted.
Thanks very much to Damian Poddebniak and Fabian Ising from the
Münster University of Applied Sciences for reporting this issue, and
their help in testing the fix.
[Retrieved from:
https://gitlab.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
imap/imap.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/imap/imap.c b/imap/imap.c
index 63362176..3ca10df4 100644
--- a/imap/imap.c
+++ b/imap/imap.c
@@ -530,6 +530,22 @@ int imap_open_connection (IMAP_DATA* idata)
}
else if (ascii_strncasecmp ("* PREAUTH", idata->buf, 9) == 0)
{
+#if defined(USE_SSL)
+ /* An unencrypted PREAUTH response is most likely a MITM attack.
+ * Require a confirmation. */
+ if (!idata->conn->ssf)
+ {
+ if (option(OPTSSLFORCETLS) ||
+ (query_quadoption (OPT_SSLSTARTTLS,
+ _("Abort unencrypted PREAUTH connection?")) != MUTT_NO))
+ {
+ mutt_error _("Encrypted connection unavailable");
+ mutt_sleep (1);
+ goto err_close_conn;
+ }
+ }
+#endif
+
idata->state = IMAP_AUTHENTICATED;
if (imap_check_capabilities (idata) != 0)
goto bail;
--
GitLab
Reference in New Issue View Git Blame Copy Permalink