!1 package init

From: @dou33
Reviewed-by: @tanyulong2021
Signed-off-by: @tanyulong2021

libetpan-1.9.2-cryptopolicy.patch

@@ -0,0 +1,11 @@
+diff -Naur libetpan-1.9.2-orig/src/data-types/mailstream_ssl.c libetpan-1.9.2/src/data-types/mailstream_ssl.c
+--- libetpan-1.9.2-orig/src/data-types/mailstream_ssl.c	2018-12-18 00:18:48.000000000 +0100
++++ libetpan-1.9.2/src/data-types/mailstream_ssl.c	2018-12-24 20:12:06.870080101 +0100
+@@ -622,7 +622,6 @@
+   gnutls_certificate_set_retrieve_function(xcred, mailstream_gnutls_client_cert_cb);
+ #endif
+   gnutls_set_default_priority(session);
+-  gnutls_priority_set_direct(session, "NORMAL", NULL);
+ 
+   gnutls_record_disable_padding(session);
+   gnutls_dh_set_prime_bits(session, 512);

libetpan-1.9.4-0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch

@@ -0,0 +1,30 @@
+From 1002a0121a8f5a9aee25357769807f2c519fa50b Mon Sep 17 00:00:00 2001
+From: Damian Poddebniak <duesee@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:39:53 +0200
+Subject: [PATCH 1/2] Detect extra data after STARTTLS response and exit (#387)
+
+---
+ src/low-level/imap/mailimap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/low-level/imap/mailimap.c b/src/low-level/imap/mailimap.c
+index bb17119..4ffcf55 100644
+--- a/src/low-level/imap/mailimap.c
++++ b/src/low-level/imap/mailimap.c
+@@ -2428,6 +2428,13 @@ int mailimap_starttls(mailimap * session)
+ 
+   mailimap_response_free(response);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->imap_stream->read_buffer_len != 0) {
++      // Since it is also an IMAP protocol violation, exit.
++      return MAILIMAP_ERROR_STARTTLS;
++  }
++
+   switch (error_code) {
+   case MAILIMAP_RESP_COND_STATE_OK:
+     return MAILIMAP_NO_ERROR;
+-- 
+2.26.2
+

libetpan-1.9.4-0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch

@@ -0,0 +1,55 @@
+From 298460a2adaabd2f28f417a0f106cb3b68d27df9 Mon Sep 17 00:00:00 2001
+From: Fabian Ising <Murgeye@users.noreply.github.com>
+Date: Fri, 24 Jul 2020 19:40:48 +0200
+Subject: [PATCH 2/2] Detect extra data after STARTTLS responses in SMTP and
+ POP3 and exit (#388)
+
+* Detect extra data after STLS response and return error
+
+* Detect extra data after SMTP STARTTLS response and return error
+---
+ src/low-level/pop3/mailpop3.c | 8 ++++++++
+ src/low-level/smtp/mailsmtp.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/low-level/pop3/mailpop3.c b/src/low-level/pop3/mailpop3.c
+index ab9535b..e2124bf 100644
+--- a/src/low-level/pop3/mailpop3.c
++++ b/src/low-level/pop3/mailpop3.c
+@@ -959,6 +959,14 @@ int mailpop3_stls(mailpop3 * f)
+ 
+   if (r != RESPONSE_OK)
+     return MAILPOP3_ERROR_STLS_NOT_SUPPORTED;
++
++  // Detect if the server send extra data after the STLS response.
++  // This *may* be a "response injection attack".
++  if (f->pop3_stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no error type for STARTTLS errors in POP3
++    return MAILPOP3_ERROR_SSL;
++  }
+   
+   return MAILPOP3_NO_ERROR;
+ }
+diff --git a/src/low-level/smtp/mailsmtp.c b/src/low-level/smtp/mailsmtp.c
+index b7fc459..3145cad 100644
+--- a/src/low-level/smtp/mailsmtp.c
++++ b/src/low-level/smtp/mailsmtp.c
+@@ -1111,6 +1111,14 @@ int mailesmtp_starttls(mailsmtp * session)
+     return MAILSMTP_ERROR_STREAM;
+   r = read_response(session);
+ 
++  // Detect if the server send extra data after the STARTTLS response.
++  // This *may* be a "response injection attack".
++  if (session->stream->read_buffer_len != 0) {
++    // Since it is also protocol violation, exit.
++    // There is no general error type for STARTTLS errors in SMTP
++    return MAILSMTP_ERROR_SSL;
++  }
++
+   switch (r) {
+   case 220:
+     return MAILSMTP_NO_ERROR;
+-- 
+2.26.2
+

libetpan.spec

@@ -0,0 +1,101 @@
+Name:           libetpan
+Version:        1.9.4
+Release:        6
+Summary:        Portable, efficient middle-ware for different kinds of mail access
+
+License:        BSD
+URL:            http://www.etpan.org/
+Source0:        https://github.com/dinhviethoa/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
+# system crypto policy (see rhbz#1179310)
+Patch10:        libetpan-1.9.2-cryptopolicy.patch
+# Upstream patches
+#
+# CVE-2020-15953
+# https://github.com/dinhvh/libetpan/issues/386
+# Detect extra data after STARTTLS response and exit
+# https://github.com/dinhvh/libetpan/pull/387
+Patch101:       libetpan-1.9.4-0001-Detect-extra-data-after-STARTTLS-response-and-exit-3.patch
+# Detect extra data after STARTTLS responses in SMTP and POP3 and exit
+# https://github.com/dinhvh/libetpan/pull/388
+Patch102:       libetpan-1.9.4-0002-Detect-extra-data-after-STARTTLS-responses-in-SMTP-a.patch
+
+BuildRequires:  gcc-c++
+BuildRequires:  liblockfile-devel
+BuildRequires:  libdb-devel < 5.4
+BuildRequires:  cyrus-sasl-devel
+BuildRequires:  gnutls-devel
+BuildRequires:  libtool
+BuildRequires:  zlib-devel
+BuildRequires:  autoconf automake
+BuildRequires: make
+# disabled by default in configure.ac accidentally
+# https://github.com/dinhviethoa/libetpan/issues/221
+# libcurl and libexpat not needed by Claws Mail:
+# http://lists.claws-mail.org/pipermail/users/2016-January/015665.html
+#BuildRequires:  libcurl-devel expat-devel
+
+%description
+The purpose of this mail library is to provide a portable, efficient middle-ware
+for different kinds of mail access. When using the drivers interface, the
+interface is the same for all kinds of mail access, remote and local mailboxes.
+
+%package        devel
+Summary:        Development package for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description    devel
+The %{name}-devel package contains the files needed for development
+with %{name}.
+
+%prep
+%setup -q
+
+#%patch0 -b .libetpan-config-script
+sed -i.flags libetpan.pc.in \
+    -e 's|-letpan@LIBSUFFIX@.*$|-letpan@LIBSUFFIX@|'
+%patch10 -p1 -b .crypto-policy
+%patch101 -p1 -b .CVE-2020-15953-1
+%patch102 -p1 -b .CVE-2020-15953-2
+
+# 2013-08-05 F20 development, bz 992070: The configure scripts adds some
+# extra libs to the GnuTLS link options, which cause rebuilds to fail, since
+# gnutls-devel no longer pulls in libgcrypt-devel libgpg-error-devel
+# [The alternative fix is to BR those packages, of course.]
+grep 'GNUTLSLIB="-lgnutls -lgcrypt -lgpg-error -lz"' configure.ac || exit -1
+sed -i '\@GNUTLSLIB=@s!-lgcrypt -lgpg-error -lz!!g' configure.ac
+
+env NOCONFIGURE=1 ./autogen.sh
+
+%build
+#%global optflags %(echo %{optflags} | sed 's/-g /-g -Wno-format-truncation /')
+%configure --disable-static --with-gnutls=yes --with-openssl=no
+make LIBTOOL=%{_bindir}/libtool %{?_smp_mflags}
+
+cd doc
+make doc
+
+%install
+make install DESTDIR=$RPM_BUILD_ROOT
+
+rm -rf $RPM_BUILD_ROOT%{_libdir}/libetpan.{,l}a
+
+iconv -f iso8859-1 -t utf-8 ChangeLog > ChangeLog.conv && mv -f ChangeLog.conv ChangeLog
+
+%ldconfig_scriptlets
+
+%files
+%license COPYRIGHT
+%doc ChangeLog NEWS
+%{_libdir}/%{name}.so.20
+%{_libdir}/%{name}.so.20.*
+
+%files devel
+%doc doc/API.html doc/README.html doc/DOCUMENTATION
+%{_libdir}/pkgconfig/%{name}.pc
+%{_includedir}/libetpan/
+%{_includedir}/libetpan.h
+%{_libdir}/%{name}.so
+
+%changelog
+* Wen Sep 22 2021 douyan <douyan@kylinos.cn> - 1.9.4-6
+- Init package for openEuler