Package: uw-imap Version: 2002edebian1-5 Severity: grave Tags: security sarge sid patch
A vulnerability was discovered in the CRAM-MD5 authentication in UW-IMAP where, on the fourth failed authentication attempt, a user would be able to access the IMAP server regardless. This problem exists only if you are using CRAM-MD5 authentication and have an /etc/cram-md5.pwd file. This is not the default setup. This is also VU#702777 <http://www.kb.cert.org/vuls/id/702777> I'm attaching the patch. Please . update the package in sid . mention the CVE id from the subject in the changelog . use priority=high . no need to upload into sarge directly, except if the version in sid is not meant to go into testing Regards, Joey -- We all know Linux is great... it does infinite loops in 5 seconds. -- Linus Torvalds
--- imap-2004/src/c-client/auth_md5.c~ 2005-01-17 16:38:46.758527958 -0700 +++ imap-2004/src/c-client/auth_md5.c 2005-01-17 16:38:46.758527958 -0700 @@ -153,7 +153,7 @@ /* get password */ if (p = auth_md5_pwd ((authuser && *authuser) ? authuser : user)) { pl = strlen (p); - u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user; + u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL; memset (p,0,pl); /* erase sensitive information */ fs_give ((void **) &p); /* flush erased password */ /* now log in for real */
signature.asc
Description: Digital signature