https://bugs.kde.org/show_bug.cgi?id=423453
Jan Kundrát changed:
What|Removed |Added
Status|REPORTED|RESOLVED
Resolution|--- |FIXED
Latest Commit||https://invent.kde.org/pim/
||trojita/commit/77ddd5d44f2b
||f4155d0c9b6f7d05f01713b32d5
||d
--- Comment #4 from Jan Kundrát ---
Git commit 77ddd5d44f2bf4155d0c9b6f7d05f01713b32d5d by Jan Kundrát.
Committed on 25/06/2020 at 10:56.
Pushed by jkt into branch 'master'.
SMTP: Do not ignore TLS errors
This fixes a CVE-2020-15047 (category: CWE-295). Since commit 0083eea5ed
which added initial, experimental support for SMTP message submission,
we have apparently never implemented proper SSL/TLS error handling, and
the code has ever since just kept silently ignoring any certificate
verification errors. As a result, Trojita was susceptible to a MITM
attack when sending e-mails. The information leaked include user's
authentication details, including the password, and the content of sent
messages.
Sorry for this :(.
Now, this patch re-enabes proper TLS error handling. It was not possible
to directly re-use our code for TLS key pinning which we are using for
IMAP connections. In the Qt TLS code, the decision to accept or not
accept a TLS connection is a blocking one, so the IMAP code relies upon
the protocol state machine (i.e., another layer) for deciding whether to
use or not to use the just-established TLS connection. Implementing an
equivalent code in the SMTP library would be nice, but this hot-fix has
a priority. As a result, SMTP connections to hosts with, e.g.,
self-signed TLS certs, are no longer possible. Let's hope that this is
not a practical problem with Lets Encrypt anymore.
Thanks to Damian Poddebniak for reporting this bug.
Change-Id: Icd6bbb2b0fb3e45159fc9699ebd07ab84262fe37
CVE: CVE-2020-15047
M +9-2src/MSA/SMTP.cpp
M +1-0src/MSA/SMTP.h
https://invent.kde.org/pim/trojita/commit/77ddd5d44f2bf4155d0c9b6f7d05f01713b32d5d
--
You are receiving this mail because:
You are watching all bug changes.
