Package: mpop
Version: 1.0.5-1
Julien, could you take care of adding this and pushing it through etch
security? My laptop died and I can't build this myself.
Thanks.
---------- Forwarded message ----------
From: Martin Lambers <[EMAIL PROTECTED]>
Date: 29-Apr-2007 21:11
Subject: Re: Patch for mpop-1.0.5 to fix the APOP weakness
To: Carlos Martín Nieto <[EMAIL PROTECTED]>
Cc: Julien Louis <[EMAIL PROTECTED]>
This is an updated patch to fix the APOP weakness described in
CVE-2007-1558 for mpop-1.0.5.
- It is less invasive than the previous patch. APOP authentication is
still fully supported even without TLS. No user needs to change his
configuration.
- The APOP check was updated. The minimum length requirement is gone.
There is a new check for an '@' now. This ensures that the APOP
timestamp has both a local and a domain part, as required by the RFCs.
With this patch, it should be safe to continue to use APOP
authentication for now.
Regards,
Martin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGNO3XU5CaZRW8NIsRAomNAJ0SFZ6dALStE7niq0XCcbkQY7bPqgCaAtSz
eTvNwhdiTk9/1VxmLaz4NAc=
=LOzG
-----END PGP SIGNATURE-----
diff -ur mpop-1.0.5/src/pop3.c mpop-1.0.5-apop-fix/src/pop3.c
--- mpop-1.0.5/src/pop3.c 2006-09-23 03:35:03.000000000 +0200
+++ mpop-1.0.5-apop-fix/src/pop3.c 2007-04-29 21:00:05.000000000 +0200
@@ -407,11 +407,13 @@
* see pop3.h
*/
+char *pop3_get_addr(const char *s);
+
int pop3_get_greeting(pop3_session_t *session, char *greeting,
char **errmsg, char **errstr)
{
int e;
- char *p, *q;
+ char *p, *q, *a;
if ((e = pop3_get_msg(session, 0, errstr)) != POP3_EOK)
{
@@ -429,17 +431,23 @@
/* 'greeting' is large enough */
strcpy(greeting, session->buffer + 4);
}
- /* search APOP timestamp */
- if ((p = strchr(session->buffer, '<')) != NULL)
- {
- if ((q = strchr(p, '>')) != NULL)
- {
- session->cap.flags |= POP3_CAP_AUTH_APOP;
- session->cap.apop_timestamp = xmalloc((q - p + 2) * sizeof(char));
- strncpy(session->cap.apop_timestamp, p, q - p + 1);
- session->cap.apop_timestamp[q - p + 1] = '\0';
- }
+ /* Search APOP timestamp. Make sure that it is a valid RFC822 message id as
+ * required by RFC 1939. This should make man-in-the-middle attacks as
+ * described in CVE-2007-1558 harder. */
+ a = NULL;
+ if ((p = strchr(session->buffer, '<')) != NULL /* start of timestamp */
+ && (q = strchr(p + 1, '>')) != NULL /* end of timestamp */
+ && (a = pop3_get_addr(p)) /* valid address */
+ && strchr(a, '@') /* has domain part */
+ && strlen(a) + 2 == (size_t)(q - p + 1) /* no specials */
+ && strncmp(p + 1, a, q - p - 1) == 0) /* no invalid chars */
+ {
+ session->cap.flags |= POP3_CAP_AUTH_APOP;
+ session->cap.apop_timestamp = xmalloc((q - p + 2) * sizeof(char));
+ strncpy(session->cap.apop_timestamp, p, q - p + 1);
+ session->cap.apop_timestamp[q - p + 1] = '\0';
}
+ free(a);
return POP3_EOK;
}
