Bug#369542: security problem in ssmtp package (password exposure)
According to this Bugreport, it would be better, IF the behaviour of "-v" stay as it is, but preventing the output of the base64 password IF the UID is != 0. Otherwise a Systemadministrator can run into trouble while debuging errors. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Bug#369542: security problem in ssmtp package (password exposure)
On Mon, Dec 04, 2006 at 12:08:52PM +0100, Andreas Barth wrote: > * Julien Louis ([EMAIL PROTECTED]) [061203 05:35]: > ssmtp.c: In function 'ssmtp': > ssmtp.c:1409: error: 'boot_t' undeclared (first use in this function) > ssmtp.c:1409: error: (Each undeclared identifier is reported only once > ssmtp.c:1409: error: for each function it appears in.) > ssmtp.c:1409: error: expected ';' before 'minus_v_save' Can you please, take two minutes to read the error message ? I made a typo, i wrote boot_t instead of bool_t. Cheers -- La science n'a pas de patrie. -+- Louis Pasteur -+- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#369542: security problem in ssmtp package (password exposure)
* Julien Louis ([EMAIL PROTECTED]) [061204 13:40]: > On Mon, Dec 04, 2006 at 12:08:52PM +0100, Andreas Barth wrote: > > * Julien Louis ([EMAIL PROTECTED]) [061203 05:35]: > > ssmtp.c: In function 'ssmtp': > > ssmtp.c:1409: error: 'boot_t' undeclared (first use in this function) > > ssmtp.c:1409: error: (Each undeclared identifier is reported only once > > ssmtp.c:1409: error: for each function it appears in.) > > ssmtp.c:1409: error: expected ';' before 'minus_v_save' > > Can you please, take two minutes to read the error message ? > I made a typo, i wrote boot_t instead of bool_t. Oh, sorry. I was just blind. Cheers, Andi -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#369542: security problem in ssmtp package (password exposure)
* Julien Louis ([EMAIL PROTECTED]) [061203 05:35]: > An updated patch, which applies cleanly, is attached. Here, compilation stops with: gcc -DSTDC_HEADERS=1 -DHAVE_LIMITS_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYSLOG_H=1 -DHAVE_UNISTD_H=1 -DHAVE_LIBNSL=1 -DRETSIGTYPE=void -DHAVE_VPRINTF=1 -DHAVE_GETHOSTNAME=1 -DHAVE_SOCKET=1 -DHAVE_STRDUP=1 -DHAVE_STRSTR=1 -DREWRITE_DOMAIN=1 -DHAVE_SSL=1 -DINET6=1 -DMD5AUTH=1 -DSSMTPCONFDIR=\"/etc/ssmtp\" -DCONFIGURATION_FILE=\"/etc/ssmtp/ssmtp.conf\" -DREVALIASES_FILE=\"/etc/ssmtp/revaliases\" -g -O2 -Wall -c -o ssmtp.o ssmtp.c ssmtp.c: In function 'crammd5': ssmtp.c:612: warning: pointer targets in passing argument 1 of '__builtin_strncpy' differ in signedness ssmtp.c:615: warning: pointer targets in passing argument 1 of 'from64tobits' differ in signedness ssmtp.c:617: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness ssmtp.c:617: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness ssmtp.c:628: warning: pointer targets in passing argument 1 of '__builtin_strncpy' differ in signedness ssmtp.c:629: warning: pointer targets in passing argument 1 of 'strcat' differ in signedness ssmtp.c:630: warning: pointer targets in passing argument 1 of 'strcat' differ in signedness ssmtp.c:630: warning: pointer targets in passing argument 2 of 'strcat' differ in signedness ssmtp.c:631: warning: pointer targets in passing argument 1 of 'strlen' differ in signedness ssmtp.c:631: warning: pointer targets in passing argument 1 of 'to64frombits' differ in signedness ssmtp.c: In function 'smtp_open': ssmtp.c:1261: warning: assignment discards qualifiers from pointer target type ssmtp.c: In function 'ssmtp': ssmtp.c:1409: error: 'boot_t' undeclared (first use in this function) ssmtp.c:1409: error: (Each undeclared identifier is reported only once ssmtp.c:1409: error: for each function it appears in.) ssmtp.c:1409: error: expected ';' before 'minus_v_save' ssmtp.c:1500: warning: pointer targets in passing argument 1 of 'to64frombits' differ in signedness ssmtp.c:1500: warning: pointer targets in passing argument 2 of 'to64frombits' differ in signedness ssmtp.c:1512: warning: pointer targets in passing argument 1 of 'to64frombits' differ in signedness ssmtp.c:1512: warning: pointer targets in passing argument 2 of 'to64frombits' differ in signedness ssmtp.c:1522: warning: pointer targets in passing argument 1 of 'to64frombits' differ in signedness ssmtp.c:1522: warning: pointer targets in passing argument 2 of 'to64frombits' differ in signedness ssmtp.c:1528: error: 'minus_v_save' undeclared (first use in this function) make[1]: *** [ssmtp.o] Error 1 Cheers, Andi -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#369542: security problem in ssmtp package (password exposure)
tags 36942 + patch thanks On Sat, Dec 02, 2006 at 04:35:41PM +0100, Andreas Barth wrote: > unfortunatly, this patch doesn't apply cleanly in Debian. An updated patch, which applies cleanly, is attached. Cheers -- ca y est j'ai acheté mandrake a la fnac je vais devenir UN LINUX GOUROU -+- taco2 in Guide du Petit Joueur : Con-Gourou -+- --- ssmtp.c.orig2006-12-03 13:05:50.0 +0100 +++ ssmtp.c 2006-12-03 13:05:54.0 +0100 @@ -1406,6 +1406,7 @@ struct passwd *pw; int i, sock; uid_t uid; + boot_t minus_v_save; int timeout = 0; outbytes = 0; @@ -1522,7 +1523,12 @@ #ifdef MD5AUTH } #endif + /* We do NOT want the password output to STDERR +* even base64 encoded.*/ + minus_v_save = minus_v; + minus_v = False; outbytes += smtp_write(sock, "%s", buf); + minus_v = minus_v_save; (void)alarm((unsigned) MEDWAIT); if(smtp_okay(sock, buf) == False) {
Bug#369542: security problem in ssmtp package (password exposure)
tags 369542 - patch thanks * Ben XO ([EMAIL PROTECTED]) [060530 08:08]: > --- ssmtp-2.61/ssmtp.c 2004-07-23 06:58:48.0 +0100 > +++ ssmtp-2.61+auth_login_minus_v_patch/ssmtp.c 2006-05-05 20:26:07.0 > +0100 > @@ -1281,6 +1281,7 @@ > struct passwd *pw; > int i, sock; > uid_t uid; > + bool_t minus_v_save; > > uid = getuid(); > if((pw = getpwuid(uid)) == (struct passwd *)NULL) { > @@ -1381,7 +1382,13 @@ > #ifdef MD5AUTH > } > #endif > +/* We do NOT want the password output to STDERR > +* even base64 encoded.*/ > + minus_v_save = minus_v; > + minus_v = False; > smtp_write(sock, "%s", buf); > + minus_v = minus_v_save; > + > (void)alarm((unsigned) MEDWAIT); > > if(smtp_okay(sock, buf) == False) { > unfortunatly, this patch doesn't apply cleanly in Debian. Cheers, Andi -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]