geary: mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (CVE-2020-24661)

GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not configured to use a system-provided PKCS#11 store. This allows a meddler in the middle to present a different invalid certificate to intercept incoming and outgoing mail.

Fixed In Version:

geary 3.36.3.1

References:

https://bugs.gentoo.org/show_bug.cgi?id=CVE-2020-24661
https://security-tracker.debian.org/tracker/CVE-2020-24661

Affected branches:

master (0e777ba2)
3.12-stable

Edited Sep 15, 2020 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information