* Security Bug: Alpine can be configured to start a secure connection using /tls

    on an insecure connection. However, if the connection is PREAUTH, Alpine
    will not upgrade the connection to a secure connection, because a client
    must not issue a STARTTLS to a server that supports it in authenticated
    state. This makes Alpine continue to use an insecure connection with the
    server, exposing user data. Reported by Damian Poddebniak and Fabian
    Ising, from Münster University of Applied Sciences.

1 files changed, 11 insertions, 1 deletions

diff --git a/imap/src/c-client/imap4r1.c b/imap/src/c-client/imap4r1.c
index 2233da6..4991f85 100644
--- a/imap/src/c-client/imap4r1.c
+++ b/imap/src/c-client/imap4r1.c
@@ -1,7 +1,7 @@
 /* 
  * Copyright 2016-2020 Eduardo Chappa
  *
- * Last Edited: Jan 26, 2020 Eduardo Chappa <alpine.chappa@gmx.com>
+ * Last Edited: Jun 18, 2020 Eduardo Chappa <alpine.chappa@yandex.com>
  *
  */
 /* ========================================================================
@@ -891,6 +891,16 @@ MAILSTREAM *imap_open (MAILSTREAM *stream)
       return NIL;		/* lost during greeting */
     }
 
+				/* STARTTLS is not allowed in PREAUTH state */
+    if (LOCAL->netstream && !strcmp (reply->key,"PREAUTH")){
+      sslstart_t stls = (sslstart_t) mail_parameters (NIL,GET_SSLSTART,NIL);
+      if (!LOCAL->gotcapability) imap_capability (stream);
+      if (LOCAL->netstream
+	 && stls && LOCAL->cap.starttls && !mb.sslflag && !mb.notlsflag && mb.tlsflag){
+	 mm_log("STARTTLS not allowed on PREAUTH state. Closing Connection", ERROR);
+	 return NIL;
+      }
+    }
 				/* if connected and not preauthenticated */
     if (LOCAL->netstream && strcmp (reply->key,"PREAUTH")) {
       sslstart_t stls = (sslstart_t) mail_parameters (NIL,GET_SSLSTART,NIL);