From 74c603fbc6397e08b4914f535fcbc2361096bcf5 Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Wed, 8 May 2019 16:05:08 -0600 Subject: * Buffer overflow bug on auth_md5.c, where not enough dynamic memory was being allocated. Based on a report by Erich Eckner. --- imap/src/c-client/auth_md5.c | 12 ++++++++---- pith/pine.hlp | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/imap/src/c-client/auth_md5.c b/imap/src/c-client/auth_md5.c index d4e7024b..d12fd299 100644 --- a/imap/src/c-client/auth_md5.c +++ b/imap/src/c-client/auth_md5.c @@ -113,11 +113,12 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder, ret = LONGT; /* will get a BAD response back */ } else { /* got password, build response */ - sprintf (pwd,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen, + char tmp[128]; + sprintf (tmp,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen, pwd,strlen (pwd))); fs_give ((void **) &challenge); /* send credentials, allow retry if OK */ - if ((*responder) (stream,pwd,strlen (pwd))) { + if ((*responder) (stream,tmp,strlen (tmp))) { if ((challenge = (*challenger) (stream,&clen)) != NULL) fs_give ((void **) &challenge); else { @@ -125,10 +126,13 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder, ret = LONGT; /* check the authentication */ } } - fs_give((void **) &pwd); + memset((void *) tmp, 0, sizeof(tmp)); } } - if(pwd) fs_give((void **) &pwd); + if(pwd){ + memset((void *) pwd, 0, strlen(pwd)); + fs_give((void **) &pwd); + } if (!ret) *trial = 65535; /* don't retry if bad protocol */ return ret; } diff --git a/pith/pine.hlp b/pith/pine.hlp index 4cf8c611..ae722708 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 338 2019-05-07 20:47:22 +Alpine Commit 339 2019-05-08 16:04:25 ============= h_news ================= -- cgit v1.2.3-54-g00ecf