5 files changed, 91 insertions, 113 deletions
diff --git a/net-libs/libetpan/Manifest b/net-libs/libetpan/Manifest
index dd29d4562010..c02b05d473d9 100644
--- a/net-libs/libetpan/Manifest
+++ b/net-libs/libetpan/Manifest
@@ -1,9 +1,7 @@
 AUX libetpan-1.0-nonnull.patch 404 BLAKE2B 485fa277a9b5a9f1f74e2bb658a68da3d6781d8cf243df019ae945a69fb96e5ddad36d83e00294e1abfb983525dbbc483686882653e55713686099d839fa7fc3 SHA512 3800d6e2dbb50985290b8a141ee2fe6ff92bee8516567f55ea14e634b41e11d1074cd8df6e6de30996e0d86e54cd659300da0d61ad63fc10f713d672aa3b4f6e
-AUX libetpan-1.9.3-missing-stddev_h.patch 989 BLAKE2B 49918148deeacc128bb33e8cf56c9f3a56de92fd7206becd5c6e6054979691e17fd1de008f42c0db64c0f72def07bd5fb10178b0eec9ee64c6d6b0f8749bdd56 SHA512 cc9ea9b4c641cbb3b2446252b8ab8b520814ad8584f7fccd3174e31726a59a8445a5af21b6086034891a883887cb69b1d2c38a07e7f8667c0fea518b40a0e058
+AUX libetpan-1.9.4-CVE-2020-15953.patch 2880 BLAKE2B a31fcc50b16d6644ce091aaf7f3c7e2717c8413e21e7ec5f425100fa7987248c60de34d7bb81eaabddd401e93498daf868d5f78f6b0a65f4940faf4fff6ba493 SHA512 00a1d56b2a01665f070dcfe13d9b24db9ba98ca0fd0f83594a095b980d13cae241e246fb3a477923fd871ead551d13d9d4651cfc07a4d333250c0956cbf58238
 AUX libetpan-1.9.4-berkdb_lookup.patch 1036 BLAKE2B 594741b66faa63de15acab4ce1f344fb22d2fa7c5c6cf75d2bd6c890d4117bda5978738d98a3ee3adf69f9ddb41922e36cd261ee71e9d8f012423cd99acc19a9 SHA512 561e0b82e080a31e668cc354be36e54101742b8d32f1067f53536afdd9e0cde2eecbd5516b93e8c304f60a1b083c6e68b4442afcca88235471f0038144202194
 AUX libetpan-1.9.4-pkgconfig_file_no_ldflags.patch 809 BLAKE2B 0b615bb488f28f468f6224362788fcdb11def5b6907c10d0bf0eee5d9d9bd6af32e9b011d4af43d3a7d8cd78086875faa4d229c96fca1895cad9576756442b45 SHA512 b830b2d2a04173bbbdb7b62f9f855eab25bbe3d970fbd69c37213ece957b4d682f36002b9694b4dcf89232ace2d809902561003b5f6fb76ec5ae0db9e6e462e0
-DIST libetpan-1.9.3.tar.gz 5000049 BLAKE2B 1664d93b112410a86935438aae5ff40202a9c10675701d40b60edf81e4f8bac45fb1f407e03714a37465c41a22c1b9fcbbc517d76dc47f812e154c932e05e600 SHA512 66e504fbf82445819845a3f1dcb8dc48ad2440993134d43752c754463cee2434a30080718687cd05c579f0da8df6b0f6dfc7572f2882d0dd9dfd327b4ae11fd6
 DIST libetpan-1.9.4.tar.gz 5000025 BLAKE2B dd98169134b7448d3dd129814d8011a3fa915b16f4763344230a89d02626b64ddea57495b4c21fd8f651164c36c95ad98ee9db073273b230e6af403b845aa681 SHA512 7b7047d084fb4ce0c91821c2ad78e921d6d009106851afb7f5b068713c84ebe6926f6bf7a7423f263eeebef617511e44f6b65448d892bbc058c447235fd55c0f
-EBUILD libetpan-1.9.3.ebuild 2095 BLAKE2B 9cc94dacaf2e83581386ad57d3d35e8f60f7a7c123653e4dfa0c56ac72644e9ac928b43b9c7f27523ba0024df3a14547b774bac1eb5ca4da71af013943c4929b SHA512 92d72ac6d58e7c48efb3a8d398bfa0ba0af3246e155b4524f2c5da17b45af613407ce832f394ef0f6f28249dd033407ab14c6b3959f784ec1a2c385f5218d9fb
-EBUILD libetpan-1.9.4.ebuild 2198 BLAKE2B dffcda40ca003f71ccef117150da920bd3c0b0f498af9219d4192ff12e33614c91eef9b0129c1d7083f70264e6f8088fd1770e467c4ec2b159228b91a5cd6437 SHA512 f10e83dc9b8ec6961be171901e1238af7c8286f417125c7800e8407754d162be488197fd8d734dac681f43a1577846d3bb8200f5cfa9094c45151ae7d1fd1c5d
+EBUILD libetpan-1.9.4-r1.ebuild 2241 BLAKE2B 5fae2fefb926cb18683a4d25aed22388fcec0ec1984d7e53c1aae5c23a7535ed90e6ccc6ea9f456eabdb808147bb707797bd7a46a327c9137657056665121092 SHA512 392a8ebc34536dd94530e9a63d3591e7a4528e46f0887715f206ebdc549be7e4b7919ceb9f6b3479c0ac6c254040e0c34a447404dfac7f7a15a24829fa77609a
 MISC metadata.xml 828 BLAKE2B c33cbf260d3d2f9529101c441cf49fcce001deec2b23c22a63715ff2ecc0e105c46a37e0aaf9641449d88e57b148d5fbca534a3b81475ffe795aeb07f5c1441f SHA512 5e13ad73cf38a8e4690506fc56f3482d72675622d3882c4cae335c5146c6cd9a942eca23834d1a010d3edb7deca8325d9f4ff576b59a3879b47966489fd28a65
diff --git a/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch b/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch
deleted file mode 100644
index 9d53f90190b0..000000000000
--- a/net-libs/libetpan/files/libetpan-1.9.3-missing-stddev_h.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-commit da9fd7839c9affea48f74a159a789fbb183b4be1
-Author: maxice8 <30738253+maxice8@users.noreply.github.com>
-Date:   Fri Feb 1 01:58:08 2019 -0200
-
-    add missing stddef.h include for 'NULL' (#322)
-    
-    clientid.c: In function 'mailimap_clientid':
-    clientid.c:66:38: error: 'NULL' undeclared (first use in this function)
-       if (mailimap_read_line(session) == NULL)
-                                          ^~~~
-    clientid.c:66:38: note: 'NULL' is defined in header '<stddef.h>'; did you forget to '#include <stddef.h>'?
-    clientid.c:39:1:
-    +#include <stddef.h>
-    
-    clientid.c:66:38:
-       if (mailimap_read_line(session) == NULL)
-
-diff --git a/src/low-level/imap/clientid.c b/src/low-level/imap/clientid.c
-index 1c34637..38880dd 100644
---- a/src/low-level/imap/clientid.c
-+++ b/src/low-level/imap/clientid.c
-@@ -33,6 +33,8 @@
- #	include <config.h>
- #endif
- 
-+#include <stdlib.h>
-+
- #include "mailimap_sender.h"
- #include "clientid_sender.h"
- #include "clientid.h"
diff --git a/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
new file mode 100644
index 000000000000..19e573569fad
--- /dev/null
+++ b/net-libs/libetpan/files/libetpan-1.9.4-CVE-2020-15953.patch
@@ -0,0 +1,86 @@
+From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: [PATCH 1/2] Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index bb17119..4ffcf55 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
+ 
+   mailimap_response_free(response);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->imap_stream->read_buffer_len != 0) {
++      // Since it is also an IMAP protocol violation, exit.
++      return MAILIMAP_ERROR_STARTTLS;
++  }
++
+   switch (error_code) {
+   case MAILIMAP_RESP_COND_STATE_OK:
+     return MAILIMAP_NO_ERROR;
+-- 
+2.28.0
+
+
+From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: [PATCH 2/2] Detect extra data after STARTTLS responses in SMTP and
+ POP3 and exit (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535b..e2124bf 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+ 
+   if (r != RESPONSE_OK)
+     return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++  // Detect if the server send extra data after the STLS response.
++  // This *may* be a "response injection attack".
++  if (f->pop3_stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no error type for STARTTLS errors in POP3
++    return MAILPOP3_ERROR_SSL;
++  }
+   
+   return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index b7fc459..3145cad 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
+     return MAILSMTP_ERROR_STREAM;
+   r = read_response(session);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no general error type for STARTTLS errors in SMTP
++    return MAILSMTP_ERROR_SSL;
++  }
++
+   switch (r) {
+   case 220:
+     return MAILSMTP_NO_ERROR;
+-- 
+2.28.0
+
diff --git a/net-libs/libetpan/libetpan-1.9.3.ebuild b/net-libs/libetpan/libetpan-1.9.3.ebuild
deleted file mode 100644
index 8fb6d3cd1d90..000000000000
--- a/net-libs/libetpan/libetpan-1.9.3.ebuild
+++ /dev/null
@@ -1,77 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-inherit autotools
-
-DESCRIPTION="A portable, efficient middleware for different kinds of mail access"
-HOMEPAGE="http://libetpan.sourceforge.net/"
-SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="~alpha amd64 ~arm hppa ~mips ppc ppc64 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
-IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
-
-# BerkDB is only supported up to version 6.0
-DEPEND="sys-libs/zlib
-	!lmdb? ( berkdb? ( <sys-libs/db-6.1:= ) )
-	lmdb? ( dev-db/lmdb )
-	ssl? (
-		gnutls? ( net-libs/gnutls:= )
-		!gnutls? (
-			!libressl? ( dev-libs/openssl:0= )
-			libressl? ( dev-libs/libressl:0= )
-		)
-	)
-	sasl? ( dev-libs/cyrus-sasl:2 )
-	liblockfile? ( net-libs/liblockfile )"
-RDEPEND="${DEPEND}"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.0-nonnull.patch
-	"${FILESDIR}"/${PN}-1.9.3-missing-stddev_h.patch
-)
-
-pkg_pretend() {
-	if use gnutls && ! use ssl ; then
-		ewarn "You have \"gnutls\" USE flag enabled but \"ssl\" USE flag disabled!"
-		ewarn "No ssl support will be available in ${PN}."
-	fi
-
-	if use berkdb && use lmdb ; then
-		ewarn "You have \"berkdb\" _and_ \"lmdb\" USE flags enabled."
-		ewarn "Using lmdb as cache DB!"
-	fi
-}
-
-src_prepare() {
-	default
-	eautoreconf
-}
-
-src_configure() {
-	# in Prefix emake uses SHELL=${BASH}, export CONFIG_SHELL to the same so
-	# libtool recognises it as valid shell (bug #300211)
-	use prefix && export CONFIG_SHELL=${BASH}
-	local myeconfargs=(
-		# --enable-debug simply injects "-O2 -g" into CFLAGS
-		--disable-debug
-		$(use_enable berkdb db)
-		$(use_enable ipv6)
-		$(use_enable liblockfile lockfile)
-		$(use_enable lmdb)
-		$(use_enable static-libs static)
-		$(use_with sasl)
-		$(usex ssl "$(use_with gnutls) $(use_with !gnutls openssl)" '--without-gnutls --without-openssl')
-	)
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-	find "${ED}" -name "*.la" -delete || die
-	if ! use static-libs ; then
-		find "${ED}" -name "*.a" -delete || die
-	fi
-}
diff --git a/net-libs/libetpan/libetpan-1.9.4.ebuild b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
index 373a43129b37..ccf8dbd57368 100644
--- a/net-libs/libetpan/libetpan-1.9.4.ebuild
+++ b/net-libs/libetpan/libetpan-1.9.4-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -10,7 +10,7 @@ SRC_URI="https://github.com/dinhviethoa/${PN}/archive/${PV}.tar.gz -> ${P}.tar.g
 
 LICENSE="BSD"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
+KEYWORDS="~alpha amd64 ~arm hppa ~mips ppc ppc64 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos"
 IUSE="berkdb gnutls ipv6 liblockfile libressl lmdb sasl ssl static-libs"
 
 # BerkDB is only supported up to version 6.0
@@ -32,6 +32,7 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-1.0-nonnull.patch
 	"${FILESDIR}"/${PN}-1.9.4-berkdb_lookup.patch #519846
 	"${FILESDIR}"/${PN}-1.9.4-pkgconfig_file_no_ldflags.patch
+	"${FILESDIR}"/${P}-CVE-2020-15953.patch #734130
 )
 
 pkg_pretend() {