[Pkg-mutt-maintainers] Bug#835421: mutt: Bug in POP3 authentication via SASL mechanism DIGEST-MD5

g1 g1pi at libero.it
Thu Aug 25 14:27:22 UTC 2016 

Package: mutt
Version: 1.5.23-3
Severity: normal
Tags: patch upstream

According to <https://tools.ietf.org/html/rfc5034#section-6>, the DIGEST-MD5
authentication should proceed along a sequence similar to the following:

1. C: AUTH DIGEST-MD5
2. S: + base64-encoded-server-challenge
3. C: base64-encoded-client-response
4. S: + base64-encoded-server-auth-confirmation
5. C:
6. S: +OK Maildrop locked and ready

In fact, even if the server grants access, mutt detects a spurious error,
sends the server a standalone "*" to request protocol shutdown, and fails.

The problem stems from the fact that the pop_auth_sasl() in
file pop_auth.c incorrectly terminates the SASL protocol at
step 4, then checks that the last message from the server
("+ base64-encoded-server-auth-confirmation") starts with "+OK", and of
course fails.

I believe the attached patch fixes the problem.

Best regards,
	g.b.

-- Package-specific info:
Mutt 1.5.23 (2014-03-12)
Copyright (C) 1996-2009 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 3.16.0-4-amd64 (x86_64)
ncurses: ncurses 5.9.20140913 (compiled with 5.9)
libidn: 1.29 (compiled with 1.29)
hcache backend: tokyocabinet 1.4.48

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.9/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.2-4' --with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.9 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.9.2 (Debian 4.9.2-4) 

Configure options: '--prefix=/usr' '--sysconfdir=/etc' '--mandir=/usr/share/man' '--with-docdir=/usr/share/doc' '--with-mailpath=/var/mail' '--disable-dependency-tracking' '--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' '--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' '--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' '--with-sasl' '--without-gdbm' '--without-bdb' '--without-qdbm' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2 -I/usr/include/qdbm'

Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall

Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
+USE_POP  +USE_IMAP  +USE_SMTP  
-USE_SSL_OPENSSL  +USE_SSL_GNUTLS  +USE_SASL  +USE_GSS  +HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
-EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +COMPRESSED  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  +HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  +HAVE_GETSID  +USE_HCACHE  
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
MIXMASTER="mixmaster"
To contact the developers, please mail to <mutt-dev at mutt.org>.
To report a bug, please visit http://bugs.mutt.org/.

misc/am-maintainer-mode.patch
features/ifdef.patch
features/xtitles.patch
features/trash-folder.patch
features/purge-message.patch
features/imap_fast_trash.patch
features/sensible_browser_position.patch
features-old/patch-1.5.4.vk.pgp_verbose_mime.patch
features/compressed-folders.patch
features/compressed-folders.debian.patch
debian-specific/Muttrc.patch
debian-specific/Md.etc_mailname_gethostbyname.patch
debian-specific/use_usr_bin_editor.patch
debian-specific/correct_docdir_in_man_page.patch
debian-specific/dont_document_not_present_features.patch
debian-specific/document_debian_defaults.patch
debian-specific/assumed_charset-compat.patch
debian-specific/467432-write_bcc.patch
debian-specific/566076-build_doc_adjustments.patch
misc/define-pgp_getkeys_command.patch
misc/gpg.rc-paths.patch
misc/smime.rc.patch
misc/fix-configure-test-operator.patch
upstream/531430-imapuser.patch
upstream/543467-thread-segfault.patch
upstream/542817-smimekeys-tmpdir.patch
upstream/548577-gpgme-1.2.patch
upstream/553321-ansi-escape-segfault.patch
upstream/547980-smime_keys-chaining.patch
upstream/528233-readonly-open.patch
upstream/228671-pipe-mime.patch
upstream/383769-score-match.patch
upstream/603288-split-fetches.patch
upstream/611410-no-implicit_autoview-for-text-html.patch
upstream/path_max.patch
translations/update_german_translation.patch
upstream/771125-CVE-2014-9116-jessie.patch
__separator__mutt.org.patch

-- System Information:
Debian Release: 8.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages mutt depends on:
ii  libassuan0         2.1.2-2
ii  libc6              2.19-18+deb8u4
ii  libcomerr2         1.42.12-1.1
ii  libgnutls-deb0-28  3.3.8-6+deb8u3
ii  libgpg-error0      1.17-3
ii  libgpgme11         1.5.1-6
ii  libgssapi-krb5-2   1.12.1+dfsg-19+deb8u2
ii  libidn11           1.29-1+deb8u1
ii  libk5crypto3       1.12.1+dfsg-19+deb8u2
ii  libkrb5-3          1.12.1+dfsg-19+deb8u2
ii  libncursesw5       5.9+20140913-1+b1
ii  libsasl2-2         2.1.26.dfsg1-13+deb8u1
ii  libtinfo5          5.9+20140913-1+b1
ii  libtokyocabinet9   1.4.48-3

Versions of packages mutt recommends:
ii  exim4-daemon-light [mail-transport-agent]  4.84.2-2+deb8u1
ii  libsasl2-modules                           2.1.26.dfsg1-13+deb8u1
ii  locales                                    2.19-18+deb8u4
ii  mime-support                               3.58

Versions of packages mutt suggests:
ii  ca-certificates  20141019+deb8u1
ii  gnupg            1.4.18-7+deb8u2
ii  ispell           3.3.02-6
pn  mixmaster        <none>
ii  openssl          1.0.1t-1+deb8u2
ii  urlview          0.9-19

Versions of packages mutt is related to:
ii  mutt          1.5.23-3
pn  mutt-dbg      <none>
pn  mutt-patched  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pop-digest-md5.patch
Type: text/x-diff
Size: 391 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mutt-maintainers/attachments/20160825/a4b5abdc/attachment.patch>

More information about the Pkg-mutt-maintainers mailing list