Description: CVE-2024-34083 - STARTTLS unencrypted command injection
Author: Dale Richards <dale@dalerichards.net>
Origin: upstream, https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
Bug: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
Last-Update: 2024-06-07
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/aiosmtpd/smtp.py
+++ b/aiosmtpd/smtp.py
@@ -504,6 +504,9 @@
             self._reader._transport = transport
             self._writer._transport = transport
             self.transport = transport
+            # Discard any leftover unencrypted data
+            # See https://tools.ietf.org/html/rfc3207#page-7
+            self._reader._buffer.clear()  # type: ignore[attr-defined]
             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
             # _extra a protected attribute?
             self.session.ssl = self._tls_protocol._extra