* Buffer overflow bug on auth_md5.c, where not enough dynamic memory

     was being allocated. Based on a report by Erich Eckner.

2 files changed, 9 insertions, 5 deletions

diff --git a/imap/src/c-client/auth_md5.c b/imap/src/c-client/auth_md5.c
index d4e7024..d12fd29 100644
--- a/imap/src/c-client/auth_md5.c
+++ b/imap/src/c-client/auth_md5.c
@@ -113,11 +113,12 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder,
       ret = LONGT;		/* will get a BAD response back */
     }
     else {			/* got password, build response */
-      sprintf (pwd,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen,
+      char tmp[128];
+      sprintf (tmp,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen,
 						pwd,strlen (pwd)));
       fs_give ((void **) &challenge);
 				/* send credentials, allow retry if OK */
-      if ((*responder) (stream,pwd,strlen (pwd))) {
+      if ((*responder) (stream,tmp,strlen (tmp))) {
 	if ((challenge = (*challenger) (stream,&clen)) != NULL)
 	  fs_give ((void **) &challenge);
 	else {
@@ -125,10 +126,13 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder,
 	  ret = LONGT;		/* check the authentication */
 	}
       }
-      fs_give((void **) &pwd);
+      memset((void *) tmp, 0, sizeof(tmp));
     }
   }
-  if(pwd) fs_give((void **) &pwd);
+  if(pwd){
+    memset((void *) pwd, 0, strlen(pwd));
+    fs_give((void **) &pwd);
+  }
   if (!ret) *trial = 65535;	/* don't retry if bad protocol */
   return ret;
 }
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 4cf8c61..ae72270 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 338 2019-05-07 20:47:22
+Alpine Commit 339 2019-05-08 16:04:25
 ============= h_news =================
 <HTML>
 <HEAD>