Package: mpop Version: 1.0.5-1 Julien, could you take care of adding this and pushing it through etch security? My laptop died and I can't build this myself.
Thanks. ---------- Forwarded message ---------- From: Martin Lambers <[EMAIL PROTECTED]> Date: 29-Apr-2007 21:11 Subject: Re: Patch for mpop-1.0.5 to fix the APOP weakness To: Carlos Martín Nieto <[EMAIL PROTECTED]> Cc: Julien Louis <[EMAIL PROTECTED]> This is an updated patch to fix the APOP weakness described in CVE-2007-1558 for mpop-1.0.5. - It is less invasive than the previous patch. APOP authentication is still fully supported even without TLS. No user needs to change his configuration. - The APOP check was updated. The minimum length requirement is gone. There is a new check for an '@' now. This ensures that the APOP timestamp has both a local and a domain part, as required by the RFCs. With this patch, it should be safe to continue to use APOP authentication for now. Regards, Martin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGNO3XU5CaZRW8NIsRAomNAJ0SFZ6dALStE7niq0XCcbkQY7bPqgCaAtSz eTvNwhdiTk9/1VxmLaz4NAc= =LOzG -----END PGP SIGNATURE-----
diff -ur mpop-1.0.5/src/pop3.c mpop-1.0.5-apop-fix/src/pop3.c --- mpop-1.0.5/src/pop3.c 2006-09-23 03:35:03.000000000 +0200 +++ mpop-1.0.5-apop-fix/src/pop3.c 2007-04-29 21:00:05.000000000 +0200 @@ -407,11 +407,13 @@ * see pop3.h */ +char *pop3_get_addr(const char *s); + int pop3_get_greeting(pop3_session_t *session, char *greeting, char **errmsg, char **errstr) { int e; - char *p, *q; + char *p, *q, *a; if ((e = pop3_get_msg(session, 0, errstr)) != POP3_EOK) { @@ -429,17 +431,23 @@ /* 'greeting' is large enough */ strcpy(greeting, session->buffer + 4); } - /* search APOP timestamp */ - if ((p = strchr(session->buffer, '<')) != NULL) - { - if ((q = strchr(p, '>')) != NULL) - { - session->cap.flags |= POP3_CAP_AUTH_APOP; - session->cap.apop_timestamp = xmalloc((q - p + 2) * sizeof(char)); - strncpy(session->cap.apop_timestamp, p, q - p + 1); - session->cap.apop_timestamp[q - p + 1] = '\0'; - } + /* Search APOP timestamp. Make sure that it is a valid RFC822 message id as + * required by RFC 1939. This should make man-in-the-middle attacks as + * described in CVE-2007-1558 harder. */ + a = NULL; + if ((p = strchr(session->buffer, '<')) != NULL /* start of timestamp */ + && (q = strchr(p + 1, '>')) != NULL /* end of timestamp */ + && (a = pop3_get_addr(p)) /* valid address */ + && strchr(a, '@') /* has domain part */ + && strlen(a) + 2 == (size_t)(q - p + 1) /* no specials */ + && strncmp(p + 1, a, q - p - 1) == 0) /* no invalid chars */ + { + session->cap.flags |= POP3_CAP_AUTH_APOP; + session->cap.apop_timestamp = xmalloc((q - p + 2) * sizeof(char)); + strncpy(session->cap.apop_timestamp, p, q - p + 1); + session->cap.apop_timestamp[q - p + 1] = '\0'; } + free(a); return POP3_EOK; }