[Evolution-hackers] Security vulnerability in APOP authentication

2007-03-29 Thread Gaëtan LEURENT 
Hello,

I found a security vulnerability in the APOP authentication.  It is
related to recent collision attacks by Wang and al. against MD5.  The
basic idea is to craft a pair of message-ids that will collide in the
APOP hash if the password begins in a specified way.  So the attacker
would impersonate a POP server, and send these msg-id; the client will
return the hash, and the attacker can learn some password characters.

The msg-ids will be generated from a MD5 collision: if you have two
colliding messages for MD5 [EMAIL PROTECTED]x and [EMAIL PROTECTED]x, 
and the
message are of length two blocks, then you will use [EMAIL PROTECTED] and
[EMAIL PROTECTED] as msg-ids.  When the client computes MD5(msg-id||passwd)
with these two, it will collide if the first password character if 'x',
no matter what is next (since we are at a block boundary, and the end of
the password will be the same in the two hashs).  Therefore you can
learn the password characters one by one (actually you can only recover
three of them, due to the way MD5 collisions are computed).

This attack is really a practical one: it needs about an hour of
computation and a few hundred authentications from the client, and can
recover three password characters.  I tested it against Evolution, and
it does work.

However, using the current techniques available to attack MD5, the
msg-ids sent by the server can easily be distinguished from genuine ones
as they will not respect the RFC specification.  In particular, they
will contain non-ASCII characters.  Therefore, as a security
countermeasure, I think Evolution should reject msg-ids that does not
conform to the RFC.

The details of the attack and the new results against MD5 needed to
build it will be presented in the Fast Software Encryption conference on
March 28.  I can send you some more details if needed.

Meanwhile, feel free to alert any one that you believe is concerned.
I am already sending this mail to the maintainers of Thunderbird,
Evolution, fetchmail, and mutt.  KMail already seems to do enough checks
on the msg-id to avoid the attack.

Please CC me in any reply.

-- 
Gaëtan LEURENT
___
Evolution-hackers mailing list
Evolution-hackers@gnome.org
http://mail.gnome.org/mailman/listinfo/evolution-hackers

Re: [Evolution-hackers] Evolution Maintainership

2007-03-29 Thread Hans Petter Jansson 
On Thu, 2007-03-29 at 15:15 +0530, Harish Krishnaswamy wrote:

 This mail is to announce that Srinivasa Ragavan (srag) is joining me
 to assume the responsibilites as maintainer of the Evolution project.
 
 [...]

Congratulations, Srini! And a big thank you to Harish and the Evolution
team for your hard work and dedication to the project. The truth is,
with more than 7 years of development behind it, it's one of the best
mailers around.

-- 
Hans Petter
Passionate Evolution user

___
Evolution-hackers mailing list
Evolution-hackers@gnome.org
http://mail.gnome.org/mailman/listinfo/evolution-hackers

[Evolution-hackers] Bug in main_system_beep?

2007-03-29 Thread Karl Relton 
Srini

Welcome to your new role. I posted this on evolution-patches a couple of
weeks back, but  don't think anyone has got round to it yet ...


Whilst looking at the code for other things, I think I have spotted a
bug in main_system_beep() in mail-session.c.

Comparing the beep function with play_sound function:

session_play_sound() and main_play_sound() do a
camel_object_ref(session) and a camel_object_unref(session) between
them.

However, session_system_beep() and main_system_beep() does the
camel_object_ref(session) but without the corresponding unref.

I assume thats wrong - the  patch below fixes that by putting in the
unref.

Karl

--- mail-session.c.old  2007-03-02 11:31:23.0 +
+++ mail-session.c  2007-03-02 11:29:42.0 +
@@ -441,6 +441,7 @@ static void
 main_system_beep (CamelFilterDriver *driver, gpointer user_data)
 {
gdk_beep ();
+   camel_object_unref (session);
 }
 
 static void


___
Evolution-hackers mailing list
Evolution-hackers@gnome.org
http://mail.gnome.org/mailman/listinfo/evolution-hackers

[Evolution-hackers] Proposed fix for bug 311512

2007-03-29 Thread Karl Relton 
Srini

Welcome to your new role (again!).

Last week I posted two patches (one for eds, one for evo) on evo bugzill
that I believe fix bug 311512.

Could you take a look - any comments are welcome!

Regards
Karl

___
Evolution-hackers mailing list
Evolution-hackers@gnome.org
http://mail.gnome.org/mailman/listinfo/evolution-hackers