Package: qpsmtpd
Version: 0.40-3
Severity: normal
Tags: patch
When writing a plugin that uses cram-md5 authentication, we trigger a
taint-check warning in Qpsmtpd::Auth, which doesn't allow the plugin to
load. E.g.:
$ echo test >plugins
$ echo . >plugin_dirs
$ echo 'sub hook_auth_cram_md5 { return (DECLINED) }' >test
$ echo foo >me
$ QPSMTPD_CONFIG=. qpsmtpd-forkserver &
$ (echo ehlo foo; echo auth cram-md5) | nc localhost 2525
gives:
451 Internal error - try again later - command 'auth' failed unexpectedly
and logs:
12317 XX: Insecure dependency in sprintf while running with -T switch at
/usr/share/perl5/Qpsmtpd/Auth.pm line 63, <STDIN> line 2.
/usr/bin/qpsmtpd-forkserver[12317]: command 'auth' failed unexpectedly
(No such file or directory)
The problem comes from using the 'me' config as part of a format
specifier string to sprintf. The fix, in the attached patch, is to add
it to the string outside of the first argument to sprintf.
The patch has already been accepted upstream, but I think it is worth
fixing before the next release, as plugins using cram-md5 auth are
currently unusable.
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages qpsmtpd depends on:
ii adduser 3.110 add and remove users and groups
ii debconf 1.5.24 Debian configuration management sy
ii libdigest-hmac-perl 1.01-7 create standard message integrity
ii libmail-spf-query-perl 1:1.999.1-3 query SPF (Sender Policy Framework
ii libmailtools-perl 2.03-1 Manipulate email in perl programs
ii libnet-dns-perl 0.63-2 Perform DNS queries from a Perl sc
ii perl 5.10.0-18 Larry Wall's Practical Extraction
ii perl-modules [libnet-perl] 5.10.0-18 Core Perl modules
qpsmtpd recommends no packages.
Versions of packages qpsmtpd suggests:
pn clamav-daemon <none> (no description available)
ii spamassassin 3.2.5-2 Perl-based spam filter using text
pn tinycdb <none> (no description available)
-- debconf information excluded
diff --git a/lib/Qpsmtpd/Auth.pm b/lib/Qpsmtpd/Auth.pm
index 6e9a2a5..635491a 100644
--- a/lib/Qpsmtpd/Auth.pm
+++ b/lib/Qpsmtpd/Auth.pm
@@ -60,8 +60,8 @@ sub SASL {
# rand() is not cryptographic, but we only need to generate a globally
# unique number. The rand() is there in case the user logs in more than
# once in the same second, of if the clock is skewed.
- $ticket = sprintf( "<%x.%x\@" . $session->config("me") . ">",
- rand(1000000), time() );
+ $ticket = sprintf( '<%x...@%s>',
+ rand(1000000), time(), $session->config("me") );
# We send the ticket encoded in Base64
$session->respond( 334, encode_base64( $ticket, "" ) );
