Bug#369542: security problem in ssmtp package (password exposure)

2006-12-12 Thread Michelle Konzack 
According to this Bugreport, it would be better, IF
the behaviour of "-v" stay as it is, but preventing
the output of the base64 password IF the UID is != 0.

Otherwise a Systemadministrator can run into trouble
while debuging errors.

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Bug#369542: security problem in ssmtp package (password exposure)

2006-12-04 Thread Julien Louis 
On Mon, Dec 04, 2006 at 12:08:52PM +0100, Andreas Barth wrote:
> * Julien Louis ([EMAIL PROTECTED]) [061203 05:35]:
> ssmtp.c: In function 'ssmtp':
> ssmtp.c:1409: error: 'boot_t' undeclared (first use in this function)
> ssmtp.c:1409: error: (Each undeclared identifier is reported only once
> ssmtp.c:1409: error: for each function it appears in.)
> ssmtp.c:1409: error: expected ';' before 'minus_v_save'
 
 Can you please, take two minutes to read the error message ?
 I made a typo, i wrote boot_t instead of bool_t.

Cheers
-- 
La science n'a pas de patrie.
-+- Louis Pasteur -+-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369542: security problem in ssmtp package (password exposure)

2006-12-04 Thread Andreas Barth 
* Julien Louis ([EMAIL PROTECTED]) [061204 13:40]:
> On Mon, Dec 04, 2006 at 12:08:52PM +0100, Andreas Barth wrote:
> > * Julien Louis ([EMAIL PROTECTED]) [061203 05:35]:
> > ssmtp.c: In function 'ssmtp':
> > ssmtp.c:1409: error: 'boot_t' undeclared (first use in this function)
> > ssmtp.c:1409: error: (Each undeclared identifier is reported only once
> > ssmtp.c:1409: error: for each function it appears in.)
> > ssmtp.c:1409: error: expected ';' before 'minus_v_save'
>  
>  Can you please, take two minutes to read the error message ?
>  I made a typo, i wrote boot_t instead of bool_t.

Oh, sorry. I was just blind.


Cheers,
Andi
-- 
  http://home.arcor.de/andreas-barth/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369542: security problem in ssmtp package (password exposure)

2006-12-04 Thread Andreas Barth 
* Julien Louis ([EMAIL PROTECTED]) [061203 05:35]:
> An updated patch, which applies cleanly, is attached.

Here, compilation stops with:
gcc -DSTDC_HEADERS=1 -DHAVE_LIMITS_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYSLOG_H=1 
-DHAVE_UNISTD_H=1 -DHAVE_LIBNSL=1 -DRETSIGTYPE=void -DHAVE_VPRINTF=1 
-DHAVE_GETHOSTNAME=1 -DHAVE_SOCKET=1 -DHAVE_STRDUP=1 -DHAVE_STRSTR=1 
-DREWRITE_DOMAIN=1 -DHAVE_SSL=1 -DINET6=1 -DMD5AUTH=1  
-DSSMTPCONFDIR=\"/etc/ssmtp\" -DCONFIGURATION_FILE=\"/etc/ssmtp/ssmtp.conf\" 
-DREVALIASES_FILE=\"/etc/ssmtp/revaliases\"  -g -O2 -Wall   -c -o ssmtp.o 
ssmtp.c
ssmtp.c: In function 'crammd5':
ssmtp.c:612: warning: pointer targets in passing argument 1 of 
'__builtin_strncpy' differ in signedness
ssmtp.c:615: warning: pointer targets in passing argument 1 of 'from64tobits' 
differ in signedness
ssmtp.c:617: warning: pointer targets in passing argument 1 of 'strlen' differ 
in signedness
ssmtp.c:617: warning: pointer targets in passing argument 1 of 'strlen' differ 
in signedness
ssmtp.c:628: warning: pointer targets in passing argument 1 of 
'__builtin_strncpy' differ in signedness
ssmtp.c:629: warning: pointer targets in passing argument 1 of 'strcat' differ 
in signedness
ssmtp.c:630: warning: pointer targets in passing argument 1 of 'strcat' differ 
in signedness
ssmtp.c:630: warning: pointer targets in passing argument 2 of 'strcat' differ 
in signedness
ssmtp.c:631: warning: pointer targets in passing argument 1 of 'strlen' differ 
in signedness
ssmtp.c:631: warning: pointer targets in passing argument 1 of 'to64frombits' 
differ in signedness
ssmtp.c: In function 'smtp_open':
ssmtp.c:1261: warning: assignment discards qualifiers from pointer target type
ssmtp.c: In function 'ssmtp':
ssmtp.c:1409: error: 'boot_t' undeclared (first use in this function)
ssmtp.c:1409: error: (Each undeclared identifier is reported only once
ssmtp.c:1409: error: for each function it appears in.)
ssmtp.c:1409: error: expected ';' before 'minus_v_save'
ssmtp.c:1500: warning: pointer targets in passing argument 1 of 'to64frombits' 
differ in signedness
ssmtp.c:1500: warning: pointer targets in passing argument 2 of 'to64frombits' 
differ in signedness
ssmtp.c:1512: warning: pointer targets in passing argument 1 of 'to64frombits' 
differ in signedness
ssmtp.c:1512: warning: pointer targets in passing argument 2 of 'to64frombits' 
differ in signedness
ssmtp.c:1522: warning: pointer targets in passing argument 1 of 'to64frombits' 
differ in signedness
ssmtp.c:1522: warning: pointer targets in passing argument 2 of 'to64frombits' 
differ in signedness
ssmtp.c:1528: error: 'minus_v_save' undeclared (first use in this function)
make[1]: *** [ssmtp.o] Error 1


Cheers,
Andi
-- 
  http://home.arcor.de/andreas-barth/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#369542: security problem in ssmtp package (password exposure)

2006-12-03 Thread Julien Louis 
tags 36942 + patch
thanks

On Sat, Dec 02, 2006 at 04:35:41PM +0100, Andreas Barth wrote:
 
> unfortunatly, this patch doesn't apply cleanly in Debian.
 
An updated patch, which applies cleanly, is attached.

Cheers
-- 
 ca y est j'ai acheté mandrake a la fnac 
 je vais devenir UN LINUX GOUROU
 -+- taco2 in Guide du Petit Joueur : Con-Gourou -+-
--- ssmtp.c.orig2006-12-03 13:05:50.0 +0100
+++ ssmtp.c 2006-12-03 13:05:54.0 +0100
@@ -1406,6 +1406,7 @@
struct passwd *pw;
int i, sock;
uid_t uid;
+   boot_t minus_v_save;
int timeout = 0;
 
outbytes = 0;
@@ -1522,7 +1523,12 @@
 #ifdef MD5AUTH
}
 #endif
+   /* We do NOT want the password output to STDERR
+* even base64 encoded.*/
+   minus_v_save = minus_v;
+   minus_v = False;
outbytes += smtp_write(sock, "%s", buf);
+   minus_v = minus_v_save;
(void)alarm((unsigned) MEDWAIT);
 
if(smtp_okay(sock, buf) == False) {

Bug#369542: security problem in ssmtp package (password exposure)

2006-12-02 Thread Andreas Barth 
tags 369542 - patch
thanks

* Ben XO ([EMAIL PROTECTED]) [060530 08:08]:
> --- ssmtp-2.61/ssmtp.c  2004-07-23 06:58:48.0 +0100
> +++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.0 
> +0100
> @@ -1281,6 +1281,7 @@
> struct passwd *pw;
> int i, sock;
> uid_t uid;
> +   bool_t minus_v_save;
> 
> uid = getuid();
> if((pw = getpwuid(uid)) == (struct passwd *)NULL) {
> @@ -1381,7 +1382,13 @@
>  #ifdef MD5AUTH
> }
>  #endif
> +/* We do NOT want the password output to STDERR
> +* even base64 encoded.*/
> +   minus_v_save = minus_v;
> +   minus_v = False;
> smtp_write(sock, "%s", buf);
> +   minus_v = minus_v_save;
> +
> (void)alarm((unsigned) MEDWAIT);
> 
> if(smtp_okay(sock, buf) == False) {
> 

unfortunatly, this patch doesn't apply cleanly in Debian.


Cheers,
Andi
-- 
  http://home.arcor.de/andreas-barth/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]