Package: mutt
Version: 1.5.23-3
Severity: normal
Tags: patch upstream
According to <https://tools.ietf.org/html/rfc5034#section-6>, the DIGEST-MD5
authentication should proceed along a sequence similar to the following:
1. C: AUTH DIGEST-MD5
2. S: + base64-encoded-server-challenge
3. C: base64-encoded-client-response
4. S: + base64-encoded-server-auth-confirmation
5. C:
6. S: +OK Maildrop locked and ready
In fact, even if the server grants access, mutt detects a spurious error,
sends the server a standalone "*" to request protocol shutdown, and fails.
The problem stems from the fact that the pop_auth_sasl() in
file pop_auth.c incorrectly terminates the SASL protocol at
step 4, then checks that the last message from the server
("+ base64-encoded-server-auth-confirmation") starts with "+OK", and of
course fails.
I believe the attached patch fixes the problem.
Best regards,
g.b.
-- Package-specific info:
Mutt 1.5.23 (2014-03-12)
Copyright (C) 1996-2009 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.
System: Linux 3.16.0-4-amd64 (x86_64)
ncurses: ncurses 5.9.20140913 (compiled with 5.9)
libidn: 1.29 (compiled with 1.29)
hcache backend: tokyocabinet 1.4.48
Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.9/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.2-4'
--with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs
--enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr
--program-suffix=-4.9 --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls
--with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug
--enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify
--enable-plugin --with-system-zlib --disable-browser-plugin
--enable-java-awt=gtk --enable-gtk-cairo
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre --enable-java-home
--with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64
--with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar
--enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 4.9.2 (Debian 4.9.2-4)
Configure options: '--prefix=/usr' '--sysconfdir=/etc'
'--mandir=/usr/share/man' '--with-docdir=/usr/share/doc'
'--with-mailpath=/var/mail' '--disable-dependency-tracking'
'--enable-compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache'
'--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' '--with-curses'
'--with-gnutls' '--with-gss' '--with-idn' '--with-mixmaster' '--with-sasl'
'--without-gdbm' '--without-bdb' '--without-qdbm' '--build' 'x86_64-linux-gnu'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro'
'CPPFLAGS=-D_FORTIFY_SOURCE=2 -I/usr/include/qdbm'
Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall
Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL +USE_SETGID +USE_DOTLOCK +DL_STANDALONE +USE_FCNTL -USE_FLOCK
+USE_POP +USE_IMAP +USE_SMTP
-USE_SSL_OPENSSL +USE_SSL_GNUTLS +USE_SASL +USE_GSS +HAVE_GETADDRINFO
+HAVE_REGCOMP -USE_GNU_REGEX
+HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME
-EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK +COMPRESSED +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET
+HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN +HAVE_GETSID +USE_HCACHE
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
MIXMASTER="mixmaster"
To contact the developers, please mail to <mutt-...@mutt.org>.
To report a bug, please visit http://bugs.mutt.org/.
misc/am-maintainer-mode.patch
features/ifdef.patch
features/xtitles.patch
features/trash-folder.patch
features/purge-message.patch
features/imap_fast_trash.patch
features/sensible_browser_position.patch
features-old/patch-1.5.4.vk.pgp_verbose_mime.patch
features/compressed-folders.patch
features/compressed-folders.debian.patch
debian-specific/Muttrc.patch
debian-specific/Md.etc_mailname_gethostbyname.patch
debian-specific/use_usr_bin_editor.patch
debian-specific/correct_docdir_in_man_page.patch
debian-specific/dont_document_not_present_features.patch
debian-specific/document_debian_defaults.patch
debian-specific/assumed_charset-compat.patch
debian-specific/467432-write_bcc.patch
debian-specific/566076-build_doc_adjustments.patch
misc/define-pgp_getkeys_command.patch
misc/gpg.rc-paths.patch
misc/smime.rc.patch
misc/fix-configure-test-operator.patch
upstream/531430-imapuser.patch
upstream/543467-thread-segfault.patch
upstream/542817-smimekeys-tmpdir.patch
upstream/548577-gpgme-1.2.patch
upstream/553321-ansi-escape-segfault.patch
upstream/547980-smime_keys-chaining.patch
upstream/528233-readonly-open.patch
upstream/228671-pipe-mime.patch
upstream/383769-score-match.patch
upstream/603288-split-fetches.patch
upstream/611410-no-implicit_autoview-for-text-html.patch
upstream/path_max.patch
translations/update_german_translation.patch
upstream/771125-CVE-2014-9116-jessie.patch
__separator__mutt.org.patch
-- System Information:
Debian Release: 8.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages mutt depends on:
ii libassuan0 2.1.2-2
ii libc6 2.19-18+deb8u4
ii libcomerr2 1.42.12-1.1
ii libgnutls-deb0-28 3.3.8-6+deb8u3
ii libgpg-error0 1.17-3
ii libgpgme11 1.5.1-6
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii libidn11 1.29-1+deb8u1
ii libk5crypto3 1.12.1+dfsg-19+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u2
ii libncursesw5 5.9+20140913-1+b1
ii libsasl2-2 2.1.26.dfsg1-13+deb8u1
ii libtinfo5 5.9+20140913-1+b1
ii libtokyocabinet9 1.4.48-3
Versions of packages mutt recommends:
ii exim4-daemon-light [mail-transport-agent] 4.84.2-2+deb8u1
ii libsasl2-modules 2.1.26.dfsg1-13+deb8u1
ii locales 2.19-18+deb8u4
ii mime-support 3.58
Versions of packages mutt suggests:
ii ca-certificates 20141019+deb8u1
ii gnupg 1.4.18-7+deb8u2
ii ispell 3.3.02-6
pn mixmaster <none>
ii openssl 1.0.1t-1+deb8u2
ii urlview 0.9-19
Versions of packages mutt is related to:
ii mutt 1.5.23-3
pn mutt-dbg <none>
pn mutt-patched <none>
-- no debconf information
--- pop_auth.c 2014-03-12 17:03:45.000000000 +0100
+++ my-pop_auth.c 2016-08-25 14:24:59.985430466 +0200
@@ -116,7 +116,7 @@
client_start = 0;
}
- if (rc != SASL_CONTINUE && (olen == 0 || rc != SASL_OK))
+ if (rc == SASL_FAIL || !mutt_strncmp(inbuf, "+OK", 3) || !mutt_strncmp(inbuf, "-ERR", 4))
break;
/* send out response, or line break if none needed */
