CVE-2021-26911: no certificate check on IMAP STARTTLS

[dglynos]

Hello, we were doing a quick functional test to Canary Mail, that uses a fork of mailcore2 and found it wasn't performing certificate validation when connecting to IMAP servers with STARTTLS. CVE-2021-26911 has been assigned to this issue. For more info on this, see: https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/

While investigating this further today, It seems that the vulnerability stems from mailcore2. Specifically, checkCertificate() is never called for ConnectionTypeStartTLS in https://github.com/MailCore/mailcore2/blob/5fb0f93010ff7af426e72e9066db8cb19b8154be/src/core/imap/MCIMAPSession.cpp#L658

This is a serious vulnerability as it allows for man-in-the-middle attacks as described in the aforementioned article.

[haithngn]

Thank @dglynos for your contribution! Fixed at https://github.com/MailCore/mailcore2/commit/fad23d736ed5a63cf8321469d3a98a583f55df97

[dglynos]

Thank @dglynos for your contribution! Fixed at fad23d7

You're welcome! @haithngn it would be a good idea to publish a mailcore2 release so that security advisories may point to the release for the fix. Do you think this is possible?