[mew-dist 27638] APOP vulnerability

2007年 4月 21日 (土) 21:40:45 JST

APOP vulnerability (CVE-2007-1558)対策として、timestampにnon-ASCII
文字を許さないようにしてみました。いかがでしょうか。
(厳密な処理はしておらず、従来どおり"<"と">"で判定しています)

http://seclists.org/bugtraq/2007/Apr/0018.html

| However, using the current techniques available to attack MD5, the
| msg-ids sent by the server can easily be distinguished from genuine
| ones as they will not respect the RFC specification. In particular,
| they will contain non-ASCII characters. Therefore, as a security
| countermeasure, mail user agents should reject msg-ids that does not
| conform to the RFC. 

----

--- mew.orig/mew-pop.el
+++ mew/mew-pop.el
@@ -77,7 +77,8 @@
 		  "Auth'ing"
 		  nil
 		  (mew-pop-secure-p pnm))
-  (if (re-search-forward "<[^<>]+@[^<>]+>" nil t)
+  (if (re-search-forward
+       "<[\000-\073\075\077-\177]+@[\000-\073\075\077-\177]+>" nil t)
       (mew-pop-set-key pnm (mew-match-string 0)))
   (mew-pop-process-send-string pro "CAPA"))
 
----

-- 
木下達也

