On Sat, 9 Mar 2002 07:41:38 -0500, Eric S Raymond wrote:
Ronald Wahl <Ronald(_dot_)Wahl(_at_)informatik(_dot_)tu-chemnitz(_dot_)de>:
On 05 Feb 2002 00:43:39 +0100, Ronald Wahl wrote:
On 21 Nov 2001 18:28:55 +0100, Ronald Wahl wrote:
Hi,
It seems that Kerberos4 authentication is broken in fetchmail >= 5.9.1.
In fetchmail-5.9.0 it works (at least with the patch found in
http://lists.ccil.org/pipermail/fetchmail-friends/2001-September/001087.html).
With 5.9.5 I get:
fetchmail: IMAP> A0001 CAPABILITY
fetchmail: IMAP< * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=PLAIN
AUTH=KERBEROS_V4 X-NETSCAPE
fetchmail: IMAP< A0001 OK Completed
fetchmail: IMAP> A0002 AUTHENTICATE KERBEROS_V4
fetchmail: IMAP< + kLsiKg==
fetchmail: could not decode initial BASE64 challenge
fetchmail: IMAP> A0003 *
Would be nice if one could fix this. The krb4 implementation used on
client side: ftp://ftp.pdc.kth.se/pub/krb/src/krb4-1.0.9.tar.gz
Now I found the bug by myself. It was introduced in
fetchmail-5.9.4. 5.9.1-5.9.3 are functional (at least now). The Base64
buffer overflow check is broken. Shame on the guy who wrote this. ;-)
Here is the fix:
--------- snip -------------------------------------------------------------
diff -uNr fetchmail-5.9.11.orig/base64.c fetchmail-5.9.11/base64.c
--- fetchmail-5.9.11.orig/base64.c 2001-10-03 11:37:33.000000000 +0200
+++ fetchmail-5.9.11/base64.c 2002-04-06 12:20:33.000000000 +0200
@@ -78,17 +78,21 @@
return(-1);
in += 4;
++len;
- if (len && len >= maxlen) /* prevent buffer overflow */
+ if (len && len > maxlen) /* prevent buffer overflow */
return(-1);
*out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4);
if (digit3 != '=')
{
- *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2);
++len;
+ if (len && len > maxlen) /* prevent buffer overflow */
+ return(-1);
+ *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2);
if (digit4 != '=')
{
- *out++ = ((DECODE64(digit3) << 6) & 0xc0) | DECODE64(digit4);
++len;
+ if (len && len > maxlen) /* prevent buffer overflow */
+ return(-1);
+ *out++ = ((DECODE64(digit3) << 6) & 0xc0) | DECODE64(digit4);
}
}
} while
--------- snip -------------------------------------------------------------
As I wrote in an older mail, to get Kerberos working I have to comment
out some code:
--------- snip -------------------------------------------------------------
diff -uNr fetchmail-5.8.10.orig/driver.c fetchmail-5.8.10/driver.c
--- fetchmail-5.8.10.orig/driver.c Mon Jun 25 22:59:18 2001
+++ fetchmail-5.8.10/driver.c Sat Jun 30 19:23:38 2001
@@ -892,6 +892,7 @@
#endif
#ifdef KERBEROS_V4
+#if 0
if (ctl->server.authenticate == A_KERBEROS_V4)
{
set_timeout(mytimeout);
@@ -901,6 +902,7 @@
if (err != 0)
goto cleanUp;
}
+#endif
#endif /* KERBEROS_V4 */
#ifdef KERBEROS_V5
--------- snip -------------------------------------------------------------
Please incorporate the patches into the fetchmail codebase. Thanks!
regards,
ron
--
/\/\ Dipl.-Inf. Ronald Wahl /\/\ C S N /\/\
\/\/ ronald(_dot_)wahl(_at_)informatik(_dot_)tu-chemnitz(_dot_)de \/\/
------------------ \/\/
/\/\ http://www.tu-chemnitz.de/~row/ /\/\ network and system /\/\
\/\/ GnuPG/PGP key available \/\/ administration \/\/