From 86e2c664607de1016cc87833fac58b9d67cb533f Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 22 May 2021 20:10:33 +0200
Subject: [PATCH] Add lettre smtp vulnerability (#924)

---
 crates/lettre/RUSTSEC-0000-0000.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 crates/lettre/RUSTSEC-0000-0000.md

diff --git a/crates/lettre/RUSTSEC-0000-0000.md b/crates/lettre/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..1d4305f
--- /dev/null
+++ b/crates/lettre/RUSTSEC-0000-0000.md
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "lettre"
+date = "2021-05-22"
+url = "https://github.com/lettre/lettre/pull/627/commits/93458d01fed0ec81c0e7b4e98e6f35961356fae2"
+categories = ["format-injection"]
+keywords = ["email", "smtp"]
+aliases = ["GHSA-qc36-q22q-cjw3"]
+
+[versions]
+patched = [">= 0.10.0-rc.3", "< 0.10.0-alpha.1, >= 0.9.6"]
+unaffected = ["< 0.7.0"]
+
+[affected.functions]
+# smtp transport
+"lettre::smtp::SmtpTransport::send" = ["< 0.10.0-alpha.1"]
+"lettre::transport::smtp::SmtpTransport::send" = [">= 0.10.0-alpha.1, < 0.10.0-rc.3"]
+"lettre::transport::smtp::SmtpTransport::send_raw" = [">= 0.10.0-alpha.1, < 0.10.0-rc.3"]
+```
+
+# SMTP command injection in body
+
+Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.
+
+The flaw is fixed by correctly handling consecutive CRLF sequences.
+