Mark Crispin wrote:
> Thank you for reporting this.
>
> This is only an issue in glibc2 on some Linux systems. In other C
> libraries, the data returned by getpass() is limited to PASS_MAX. The
> author of glibc2 apparently thought that it would help his ideology to
> abolish the use of such functions by making glibc2's getpass() return
> a limitless string.
Yes, but Linux and Glibc2 are important. I also found that getpass()
works different on different systems. On Solaris 10 getpass() only
returns at most 8 characters! So getpass() seems to be an unusable
function on Solaris 10, but this is another aspect of the problem.
You can find out, how getpass() function works on your system with this
little test program:
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("You entered: %s\n", getpass("password: "));
return 0;
}
> Since mailutil is an auxillary shell tool and not a security program,
> I don't think that there is a particular priority to protect it from
> user abuse.
Yes, I agree, that this should not be considered as a security problem.
Especially the interactive password prompt makes the tool often unusable
for scripts. (I would like to see a mailutil tool, which uses the
password manager functions of Alpine. Currently I patched mailutil for
my scripting purpose. At this point I also found the problem.)
Anyway, I think, the bug should be fixed for the next release of UW
Imap, Alpine etc. Who can do this? I can help with a patch and with some
testing it this is helpful.
Greetings,
Björn
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw
