Package: libesmtp5 Version: 1.0.3-1 [I made several attempts to report the following to the upstream authors and the relevant mailing list since February, but I did not get a response, so I'm reporting this here.]
I think I found a flaw in libesmtp-1.0.3r1, file smtp-tls.c: The function match_domain() is used to match a host name against subjectAltNames of type DNS or against the Common Name of a certificate. It calls match_component() to match the components of a FQDN. match_component() will accept two strings as equal if they start equal but don't have equal length. For example, match_domain("mail.example.com", "mailhub.example.com") and match_domain("mail.somewhere.com", "mail.somewhere-else.com") return 1, not 0. The following patch fixes that: --- smtp-tls.c.orig 2005-02-04 01:54:43.033106064 +0100 +++ smtp-tls.c 2005-02-04 01:56:50.984654472 +0100 @@ -439,16 +439,24 @@ match_component (const char *dom, const char *edom, const char *ref, const char *eref) { + int wildcard = 0; + while (dom < edom && ref < eref) { /* Accept a final '*' in the reference as a wildcard */ if (*ref == '*' && ref + 1 == eref) - break; + { + wildcard = 1; + break; + } /* compare the domain name case insensitive */ if (!(*dom == *ref || tolower (*dom) == tolower (*ref))) return 0; ref++, dom++; } + if (!wildcard && (dom < edom || ref < eref)) + return 0; + return 1; } Security implication: Let the certificate of smtp.somewhere-else.com contain a subjectAltName of type DNS with the content smtp.somewhere-else.com (the host's name). If a user wants to contact smtp.somewhere.com, but can be tricked into contacting smtp.somewhere-else.com instead, he won't notice the difference even when TLS is active, because the check of "smtp.somewhere.com" against the certificate's subjectAltName "smtp.somewhere-else.com" returns ok. This is probably not a big issue because anyone can create a certificate containing an arbitrary subjectAltName. But the owner of smtp.somewhere-else.com might get their certificate (that rightfully contains a subjectAltName of "smtp.somewhere-else.com") signed by a trusted CA, so that libesmtp fully trusts smtp.somewhere-else.com when it should not. Martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]