Bug 1609916 (CVE-2016-10727) - CVE-2016-10727 evolution-data-server: IMAPx Component Information Disclosure
Summary: CVE-2016-10727 evolution-data-server: IMAPx Component Information Disclosure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-10727
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1609918
TreeView+ depends on / blocked
 
Reported: 2018-07-30 19:39 UTC by Laura Pardo
Modified: 2021-02-16 23:52 UTC (History)
9 users (show)

Fixed In Version: evolution-data-server 3.21.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-05 11:35:29 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2018-07-30 19:39:19 UTC 
A flaw was found in GNOME evolution-data-server before 3.21.2. camel/providers/imapx/camel-imapx-server.c in the IMAPx component proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. The server code was intended to report an error and not proceed, but the code was written incorrectly.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1334842

Upstream Patch:
https://gitlab.gnome.org/GNOME/evolution-data-server/commit/f26a6f67
Comment 1 Milan Crha 2018-08-20 15:29:20 UTC 
I'm sorry, but what is this bug supposed to serve for, please? It doesn't make any sense to me to file a bug for a thing which had been fixed more than two years ago, while Fedora supports only ~13 months back. What am I missing here, please?
Comment 2 Laura Pardo 2018-08-21 14:41:44 UTC 
(In reply to Milan Crha from comment #1)
> I'm sorry, but what is this bug supposed to serve for, please? It doesn't
> make any sense to me to file a bug for a thing which had been fixed more
> than two years ago, while Fedora supports only ~13 months back. What am I
> missing here, please?

Hi Milan,
Fedora is not affected by this issue, as noted in fedora-all/evolution-data-server=notaffected. However, I still need to file this for the remaining platforms that ships this package.
Comment 3 Milan Crha 2018-08-22 11:01:25 UTC 
I see. If I read the white board properly, then it says only:
  rhel-7/evolution-data-server=affected
and all the others are not affected. RHEL 7.4 contains evolution-data-server-3.22.7, which had the upstream fix included, thus unless you aim even lower, this had been addressed in RHEL 7 ~a year ago, thus it's not affected now too. Am I right?

RHEL 7.3 had evolution-data-server-3.12.11, which would be affected, not being of bug #1265684, whose changes included that upstream fix as one of the side effects.

Maybe RHEL 7.2 is affected, it also contains 3.12.11.
Comment 4 Adam Mariš 2018-09-05 11:33:25 UTC 
In reply to comment 3:
> I see. If I read the white board properly, then it says only:
>   rhel-7/evolution-data-server=affected
> and all the others are not affected. RHEL 7.4 contains
> evolution-data-server-3.22.7, which had the upstream fix included, thus
> unless you aim even lower, this had been addressed in RHEL 7 ~a year ago,
> thus it's not affected now too. Am I right?
> 
> RHEL 7.3 had evolution-data-server-3.12.11, which would be affected, not
> being of bug #1265684, whose changes included that upstream fix as one of
> the side effects.
> 
> Maybe RHEL 7.2 is affected, it also contains 3.12.11.

Yes, this was fixed by https://access.redhat.com/errata/RHBA-2016:2206
Regrading the whiteboard, we need to set it to "affected" since RHEL-7.2 is still affected and also due to proper errata link being displayed on CVE page.
Comment 5 Adam Mariš 2018-09-05 11:35:37 UTC 
Statement:

This issue did not affect the versions of evolution-data-server as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include the vulnerable code.
Note You need to log in before you can comment on or make changes to this bug.