The code feeds the results of $session->config('me') to
sprintf as part of the format string. In practice, this is
probably not a problem since hostnames don't contain percent
signs. However, it triggers a taint warning in perl 5.10,
making cram-md5 auth unusable.
This patch rewrites the sprintf to insert the 'me' value
using a %s format specifier.
---
I don't know the usual practice for submitting patches to qpsmtpd, so
please let me know if I should be doing something differently.
I was a little confused by the test infrastructure, so no test, but
hopefully this change is Obviously Correct. I can trigger it on my
Debian testing and unstable boxen with just this plugin:
sub hook_auth_cram_md5 {
return (DECLINED);
}
which generates this in the log:
1732 XX: Insecure dependency in sprintf while running with -T switch at
lib/Qpsmtpd/Auth.pm line 63, <STDIN> line 3.
./qpsmtpd[1732]: command 'auth' failed unexpectedly (Bad file descriptor)
lib/Qpsmtpd/Auth.pm | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/Qpsmtpd/Auth.pm b/lib/Qpsmtpd/Auth.pm
index 6e9a2a5..635491a 100644
--- a/lib/Qpsmtpd/Auth.pm
+++ b/lib/Qpsmtpd/Auth.pm
@@ -60,8 +60,8 @@ sub SASL {
# rand() is not cryptographic, but we only need to generate a globally
# unique number. The rand() is there in case the user logs in more
than
# once in the same second, of if the clock is skewed.
- $ticket = sprintf( "<%x.%x\@" . $session->config("me") . ">",
- rand(1000000), time() );
+ $ticket = sprintf( '<%x...@%s>',
+ rand(1000000), time(), $session->config("me") );
# We send the ticket encoded in Base64
$session->respond( 334, encode_base64( $ticket, "" ) );
--
1.6.1.62.g8269b
