From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.devel Subject: smtpmail.el security flaw in selecting authentication mechanism Date: Tue, 03 Mar 2009 17:30:21 +0100 Message-ID: <87myc24lia.fsf@mocca.josefsson.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1236104398 7565 80.91.229.12 (3 Mar 2009 18:19:58 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 3 Mar 2009 18:19:58 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Mar 03 19:21:15 2009 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1LeZEv-0002u4-O4 for ged-emacs-devel@m.gmane.org; Tue, 03 Mar 2009 19:21:15 +0100 Original-Received: from localhost ([127.0.0.1]:58545 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LeZDZ-0006cf-7J for ged-emacs-devel@m.gmane.org; Tue, 03 Mar 2009 13:19:49 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LeXVm-0001Qm-HA for emacs-devel@gnu.org; Tue, 03 Mar 2009 11:30:30 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LeXVk-0001Q8-4f for emacs-devel@gnu.org; Tue, 03 Mar 2009 11:30:28 -0500 Original-Received: from [199.232.76.173] (port=41885 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LeXVi-0001Q2-R1 for emacs-devel@gnu.org; Tue, 03 Mar 2009 11:30:26 -0500 Original-Received: from mail-fx0-f172.google.com ([209.85.220.172]:62914) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LeXVi-0000E7-90 for emacs-devel@gnu.org; Tue, 03 Mar 2009 11:30:26 -0500 Original-Received: by fxm20 with SMTP id 20so2511957fxm.42 for ; Tue, 03 Mar 2009 08:30:23 -0800 (PST) Original-Received: by 10.86.70.3 with SMTP id s3mr2165792fga.65.1236097823470; Tue, 03 Mar 2009 08:30:23 -0800 (PST) Original-Received: from mocca.josefsson.org (c80-216-29-127.bredband.comhem.se [80.216.29.127]) by mx.google.com with ESMTPS id w5sm1136084mue.33.2009.03.03.08.30.22 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 03 Mar 2009 08:30:23 -0800 (PST) User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.90 (gnu/linux) X-Hashcash: 1:22:090303:emacs-devel@gnu.org::qXMQ/FfKpZqoKvd7:82nf OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 2) X-Mailman-Approved-At: Tue, 03 Mar 2009 13:17:51 -0500 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:109417 Archived-At: I just noticed that smtpmail.el chose to use the LOGIN mechanism against gmail.com which was surprising because they support PLAIN, which should be preferred. Debugging this I noticed this is the code that is responsible for selecting the authentication mechanism to use: (defun smtpmail-try-auth-methods (process supported-extensions host port) (let* ((mechs (cdr-safe (assoc 'auth supported-extensions))) (mech (car (smtpmail-intersection smtpmail-auth-supported mechs))) Some experiments with this: (smtpmail-intersection smtpmail-auth-supported '(login plain cram-md5)) (login plain cram-md5) Thus the code choses the first supported mechanism in the _servers_ order. It should use the local list instead. Compare: (smtpmail-intersection '(login plain cram-md5) smtpmail-auth-supported) (cram-md5 plain login) The patch below fixes this. I have committed it on the trunk. Maybe it it should be backported in case you make releases from another branch? This can be a security problem, since it allows the server to control whether for example LOGIN or PLAIN (that sends the password in plaintext) is used instead of CRAM-MD5 (which does not). Of course, security aware people use STARTTLS anyway, which should mitigate this. /Simon Index: lisp/ChangeLog =================================================================== RCS file: /sources/emacs/emacs/lisp/ChangeLog,v retrieving revision 1.15426 diff -u -p -r1.15426 ChangeLog --- lisp/ChangeLog 3 Mar 2009 16:12:02 -0000 1.15426 +++ lisp/ChangeLog 3 Mar 2009 16:22:18 -0000 @@ -1,3 +1,11 @@ +2009-03-03 Simon Josefsson + + * mail/smtpmail.el (smtpmail-auth-supported): Mention that list is + in preference order. + (smtpmail-try-auth-methods): Improve which authentication + mechanism to use, so that the locally most preferred and mutually + supported mechanism is used. + 2009-03-03 Stefan Monnier * emacs-lisp/lisp.el (end-of-defun-function): Make it more clear that Index: lisp/mail/smtpmail.el =================================================================== RCS file: /sources/emacs/emacs/lisp/mail/smtpmail.el,v retrieving revision 1.108 diff -u -p -r1.108 smtpmail.el --- lisp/mail/smtpmail.el 5 Jan 2009 03:22:37 -0000 1.108 +++ lisp/mail/smtpmail.el 3 Mar 2009 16:22:18 -0000 @@ -218,7 +218,8 @@ This is relative to `smtpmail-queue-dir' (defvar smtpmail-read-point) (defconst smtpmail-auth-supported '(cram-md5 plain login) - "List of supported SMTP AUTH mechanisms.") + "List of supported SMTP AUTH mechanisms. +The list is in preference order.") (defvar smtpmail-mail-address nil "Value to use for envelope-from address for mail from ambient buffer.") @@ -534,7 +535,7 @@ This is relative to `smtpmail-queue-dir' (defun smtpmail-try-auth-methods (process supported-extensions host port) (let* ((mechs (cdr-safe (assoc 'auth supported-extensions))) - (mech (car (smtpmail-intersection smtpmail-auth-supported mechs))) + (mech (car (smtpmail-intersection mechs smtpmail-auth-supported))) (auth-user (auth-source-user-or-password "login" host (or port "smtp"))) (auth-pass (auth-source-user-or-password