1 files changed, 30 insertions, 0 deletions

diff --git a/mail-client/mutt/files/mutt-1.14.4-no-imap-preauth-with-tunnel.patch b/mail-client/mutt/files/mutt-1.14.4-no-imap-preauth-with-tunnel.patch
new file mode 100644
index 000000000000..d4d2104db08c
--- /dev/null
+++ b/mail-client/mutt/files/mutt-1.14.4-no-imap-preauth-with-tunnel.patch
@@ -0,0 +1,30 @@
+From dc909119b3433a84290f0095c0f43a23b98b3748 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sat, 20 Jun 2020 06:35:35 -0700
+Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use.
+
+$tunnel is used to create an external encrypted connection.  The
+default of $ssl_starttls is yes, meaning those kinds of connections
+will be broken by the CVE-2020-14093 fix.
+---
+ imap/imap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/imap/imap.c b/imap/imap.c
+index 3ca10df4..78d75b07 100644
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -532,8 +532,8 @@ int imap_open_connection (IMAP_DATA* idata)
+   {
+ #if defined(USE_SSL)
+     /* An unencrypted PREAUTH response is most likely a MITM attack.
+-     * Require a confirmation. */
+-    if (!idata->conn->ssf)
++     * Require a confirmation unless using $tunnel. */
++    if (!idata->conn->ssf && !Tunnel)
+     {
+       if (option(OPTSSLFORCETLS) ||
+           (query_quadoption (OPT_SSLSTARTTLS,
+-- 
+GitLab
+