Update buildroot v2020.02.4 (#811)

* Update buildroot to 2020.02.4 Signed-off-by: Pascal Vizeli <pvizeli@syshack.ch> * fix patches Signed-off-by: Pascal Vizeli <pvizeli@syshack.ch>
2020-08-06 20:54:14 +02:00
parent 1f4bd67f7e
commit fa53c7bc99
239 changed files with 3051 additions and 938 deletions
--- a/buildroot/package/mutt/0003-Prevent-possible-IMAP-MITM-via-PREAUTH-response.patch
+++ b/buildroot/package/mutt/0003-Prevent-possible-IMAP-MITM-via-PREAUTH-response.patch
@@ -0,0 +1,60 @@
+From 3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sun, 14 Jun 2020 11:30:00 -0700
+Subject: [PATCH] Prevent possible IMAP MITM via PREAUTH response.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is similar to CVE-2014-2567 and CVE-2020-12398.  STARTTLS is not
+allowed in the Authenticated state, so previously Mutt would
+implicitly mark the connection as authenticated and skip any
+encryption checking/enabling.
+
+No credentials are exposed, but it does allow messages to be sent to
+an attacker, via postpone or fcc'ing for instance.
+
+Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the
+connection if it is unencrypted.
+
+Thanks very much to Damian Poddebniak and Fabian Ising from the
+Münster University of Applied Sciences for reporting this issue, and
+their help in testing the fix.
+
+[Retrieved from:
+https://gitlab.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ imap/imap.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/imap/imap.c b/imap/imap.c
+index 63362176..3ca10df4 100644
+--- a/imap/imap.c
+++ b/imap/imap.c
+@@ -530,6 +530,22 @@ int imap_open_connection (IMAP_DATA* idata)
+   }
+   else if (ascii_strncasecmp ("* PREAUTH", idata->buf, 9) == 0)
+   {
+#if defined(USE_SSL)
+    /* An unencrypted PREAUTH response is most likely a MITM attack.
+     * Require a confirmation. */
+    if (!idata->conn->ssf)
+    {
+      if (option(OPTSSLFORCETLS) ||
+          (query_quadoption (OPT_SSLSTARTTLS,
+                             _("Abort unencrypted PREAUTH connection?")) != MUTT_NO))
+      {
+        mutt_error _("Encrypted connection unavailable");
+        mutt_sleep (1);
+        goto err_close_conn;
+      }
+    }
+#endif
+
+     idata->state = IMAP_AUTHENTICATED;
+     if (imap_check_capabilities (idata) != 0)
+       goto bail;
+-- 
+GitLab
+
--- a/buildroot/package/mutt/mutt.hash
+++ b/buildroot/package/mutt/mutt.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256 78423016b5f2fcb31bfd156999ff6638177be4459230d2ee61a81e5641d07378  mutt-1.13.3.tar.gz
+sha256 6cd71b5b3e6b255afef6bed3b5e1e8ee9819b3d7c9839fd95e798045882aa653  mutt-1.13.5.tar.gz
 sha256 732f24b69a6c71cd8e01e4672bb8e12cc1cbb88a50a4665e6ca4fd95000a57ee  GPL
--- a/buildroot/package/mutt/mutt.mk
+++ b/buildroot/package/mutt/mutt.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-MUTT_VERSION = 1.13.3
+MUTT_VERSION = 1.13.5
 MUTT_SITE = https://bitbucket.org/mutt/mutt/downloads
 MUTT_LICENSE = GPL-2.0+
 MUTT_LICENSE_FILES = GPL
@@ -13,6 +13,9 @@ MUTT_CONF_OPTS = --disable-doc --disable-smtp
 # We're patching configure.ac
 MUTT_AUTORECONF = YES

+# 0003-Prevent-possible-IMAP-MITM-via-PREAUTH-response.patch
+MUTT_IGNORE_CVES += CVE-2020-14093
+
 ifeq ($(BR2_PACKAGE_LIBICONV),y)
 MUTT_DEPENDENCIES += libiconv
 MUTT_CONF_OPTS += --enable-iconv