| commit | 77ddd5d44f2bf4155d0c9b6f7d05f01713b32d5d | |
| author | Jan Kundrát <jkt@kde.org> | |
| Thu, 25 Jun 2020 09:30:51 +0000 (25 11:30 +0200) | ||
| committer | Jan Kundrát <jkt@kde.org> | |
| Thu, 25 Jun 2020 10:56:07 +0000 (25 12:56 +0200) | ||
| tree | f8b1f43a351be0e3c7809dee047debf8f03167d7 | treesnapshot (tar.gz zip) |
| parent | 3a99f43babdbe34f11b359399011f6a251a25590 | commitdiff |
SMTP: Do not ignore TLS errors
This fixes a CVE-2020-15047 (category: CWE-295). Since commit 0083eea5ed
which added initial, experimental support for SMTP message submission,
we have apparently never implemented proper SSL/TLS error handling, and
the code has ever since just kept silently ignoring any certificate
verification errors. As a result, Trojita was susceptible to a MITM
attack when sending e-mails. The information leaked include user's
authentication details, including the password, and the content of sent
messages.
Sorry for this :(.
Now, this patch re-enabes proper TLS error handling. It was not possible
to directly re-use our code for TLS key pinning which we are using for
IMAP connections. In the Qt TLS code, the decision to accept or not
accept a TLS connection is a blocking one, so the IMAP code relies upon
the protocol state machine (i.e., another layer) for deciding whether to
use or not to use the just-established TLS connection. Implementing an
equivalent code in the SMTP library would be nice, but this hot-fix has
a priority. As a result, SMTP connections to hosts with, e.g.,
self-signed TLS certs, are no longer possible. Let's hope that this is
not a practical problem with Lets Encrypt anymore.
Thanks to Damian Poddebniak for reporting this bug.
Change-Id: Icd6bbb2b0fb3e45159fc9699ebd07ab84262fe37
CVE: CVE-2020-15047
BUG: 423453
This fixes a CVE-2020-15047 (category: CWE-295). Since commit 0083eea5ed
which added initial, experimental support for SMTP message submission,
we have apparently never implemented proper SSL/TLS error handling, and
the code has ever since just kept silently ignoring any certificate
verification errors. As a result, Trojita was susceptible to a MITM
attack when sending e-mails. The information leaked include user's
authentication details, including the password, and the content of sent
messages.
Sorry for this :(.
Now, this patch re-enabes proper TLS error handling. It was not possible
to directly re-use our code for TLS key pinning which we are using for
IMAP connections. In the Qt TLS code, the decision to accept or not
accept a TLS connection is a blocking one, so the IMAP code relies upon
the protocol state machine (i.e., another layer) for deciding whether to
use or not to use the just-established TLS connection. Implementing an
equivalent code in the SMTP library would be nice, but this hot-fix has
a priority. As a result, SMTP connections to hosts with, e.g.,
self-signed TLS certs, are no longer possible. Let's hope that this is
not a practical problem with Lets Encrypt anymore.
Thanks to Damian Poddebniak for reporting this bug.
Change-Id: Icd6bbb2b0fb3e45159fc9699ebd07ab84262fe37
CVE: CVE-2020-15047
BUG: 423453
| src/MSA/SMTP.cpp | diffblobblamehistory | |
| src/MSA/SMTP.h | diffblobblamehistory |