* smtpmail.el security flaw in selecting authentication mechanism
@ 2009-03-03 16:30 Simon Josefsson
2009-03-03 19:20 ` Stefan Monnier
2009-03-04 22:01 ` Richard M Stallman
0 siblings, 2 replies; 5+ messages in thread
From: Simon Josefsson @ 2009-03-03 16:30 UTC (permalink / raw)
To: emacs-devel
I just noticed that smtpmail.el chose to use the LOGIN mechanism against
gmail.com which was surprising because they support PLAIN, which should
be preferred. Debugging this I noticed this is the code that is
responsible for selecting the authentication mechanism to use:
(defun smtpmail-try-auth-methods (process supported-extensions host port)
(let* ((mechs (cdr-safe (assoc 'auth supported-extensions)))
(mech (car (smtpmail-intersection smtpmail-auth-supported mechs)))
Some experiments with this:
(smtpmail-intersection smtpmail-auth-supported '(login plain cram-md5))
(login plain cram-md5)
Thus the code choses the first supported mechanism in the _servers_
order. It should use the local list instead. Compare:
(smtpmail-intersection '(login plain cram-md5) smtpmail-auth-supported)
(cram-md5 plain login)
The patch below fixes this. I have committed it on the trunk. Maybe it
it should be backported in case you make releases from another branch?
This can be a security problem, since it allows the server to control
whether for example LOGIN or PLAIN (that sends the password in
plaintext) is used instead of CRAM-MD5 (which does not). Of course,
security aware people use STARTTLS anyway, which should mitigate this.
/Simon
Index: lisp/ChangeLog
===================================================================
RCS file: /sources/emacs/emacs/lisp/ChangeLog,v
retrieving revision 1.15426
diff -u -p -r1.15426 ChangeLog
--- lisp/ChangeLog 3 Mar 2009 16:12:02 -0000 1.15426
+++ lisp/ChangeLog 3 Mar 2009 16:22:18 -0000
@@ -1,3 +1,11 @@
+2009-03-03 Simon Josefsson <simon@josefsson.org>
+
+ * mail/smtpmail.el (smtpmail-auth-supported): Mention that list is
+ in preference order.
+ (smtpmail-try-auth-methods): Improve which authentication
+ mechanism to use, so that the locally most preferred and mutually
+ supported mechanism is used.
+
2009-03-03 Stefan Monnier <monnier@iro.umontreal.ca>
* emacs-lisp/lisp.el (end-of-defun-function): Make it more clear that
Index: lisp/mail/smtpmail.el
===================================================================
RCS file: /sources/emacs/emacs/lisp/mail/smtpmail.el,v
retrieving revision 1.108
diff -u -p -r1.108 smtpmail.el
--- lisp/mail/smtpmail.el 5 Jan 2009 03:22:37 -0000 1.108
+++ lisp/mail/smtpmail.el 3 Mar 2009 16:22:18 -0000
@@ -218,7 +218,8 @@ This is relative to `smtpmail-queue-dir'
(defvar smtpmail-read-point)
(defconst smtpmail-auth-supported '(cram-md5 plain login)
- "List of supported SMTP AUTH mechanisms.")
+ "List of supported SMTP AUTH mechanisms.
+The list is in preference order.")
(defvar smtpmail-mail-address nil
"Value to use for envelope-from address for mail from ambient buffer.")
@@ -534,7 +535,7 @@ This is relative to `smtpmail-queue-dir'
(defun smtpmail-try-auth-methods (process supported-extensions host port)
(let* ((mechs (cdr-safe (assoc 'auth supported-extensions)))
- (mech (car (smtpmail-intersection smtpmail-auth-supported mechs)))
+ (mech (car (smtpmail-intersection mechs smtpmail-auth-supported)))
(auth-user (auth-source-user-or-password
"login" host (or port "smtp")))
(auth-pass (auth-source-user-or-password
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: smtpmail.el security flaw in selecting authentication mechanism
2009-03-03 16:30 smtpmail.el security flaw in selecting authentication mechanism Simon Josefsson
@ 2009-03-03 19:20 ` Stefan Monnier
2009-03-04 22:01 ` Richard M Stallman
1 sibling, 0 replies; 5+ messages in thread
From: Stefan Monnier @ 2009-03-03 19:20 UTC (permalink / raw)
To: Simon Josefsson; +Cc: emacs-devel
> The patch below fixes this. I have committed it on the trunk. Maybe it
> it should be backported in case you make releases from another branch?
We haven't cut a branch for the release yet. Thank you for installing
the patch.
Stefan
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: smtpmail.el security flaw in selecting authentication mechanism
2009-03-03 16:30 smtpmail.el security flaw in selecting authentication mechanism Simon Josefsson
2009-03-03 19:20 ` Stefan Monnier
@ 2009-03-04 22:01 ` Richard M Stallman
2009-03-04 22:12 ` Simon Josefsson
2009-03-04 23:27 ` Stefan Monnier
1 sibling, 2 replies; 5+ messages in thread
From: Richard M Stallman @ 2009-03-04 22:01 UTC (permalink / raw)
To: Simon Josefsson; +Cc: emacs-devel
I am pretty sure we don't plan to make another release of Emacs 22.
Do you think we should make one just on account of this?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: smtpmail.el security flaw in selecting authentication mechanism
2009-03-04 22:01 ` Richard M Stallman
@ 2009-03-04 22:12 ` Simon Josefsson
2009-03-04 23:27 ` Stefan Monnier
1 sibling, 0 replies; 5+ messages in thread
From: Simon Josefsson @ 2009-03-04 22:12 UTC (permalink / raw)
To: rms; +Cc: emacs-devel
Richard M Stallman <rms@gnu.org> writes:
> I am pretty sure we don't plan to make another release of Emacs 22.
> Do you think we should make one just on account of this?
No.
/Simon
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: smtpmail.el security flaw in selecting authentication mechanism
2009-03-04 22:01 ` Richard M Stallman
2009-03-04 22:12 ` Simon Josefsson
@ 2009-03-04 23:27 ` Stefan Monnier
1 sibling, 0 replies; 5+ messages in thread
From: Stefan Monnier @ 2009-03-04 23:27 UTC (permalink / raw)
To: rms; +Cc: Simon Josefsson, emacs-devel
> I am pretty sure we don't plan to make another release of Emacs 22.
> Do you think we should make one just on account of this?
No, it's not a serious security flaw: it still only uses one of the
protocols that we accept to use. It just might choose a less
desirable one.
Stefan
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-03-04 23:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-03 16:30 smtpmail.el security flaw in selecting authentication mechanism Simon Josefsson
2009-03-03 19:20 ` Stefan Monnier
2009-03-04 22:01 ` Richard M Stallman
2009-03-04 22:12 ` Simon Josefsson
2009-03-04 23:27 ` Stefan Monnier
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).