evolution: Evolution does not authenticate using MD5 methods (DIGEST/CRAM) and remains plaintext
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
evolution (Debian) |
Fix Released
|
Unknown
|
|||
evolution (Ubuntu) |
Fix Released
|
High
|
Sebastien Bacher |
Bug Description
Automatically imported from Debian bug report #290291 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-Id: <email address hidden>
Date: Thu, 13 Jan 2005 13:24:52 +0100
From: Cedric Blancher <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: evolution: Evolution does not authenticate using MD5 methods (DIGEST/CRAM)
and remains plaintext
Package: evolution
Version: 2.0.3-1.1
Severity: grave
Justification: user security hole
Since yesterday's sid update, my Evolution only authenticate using
plaintext login/password, whether you choose NTLM, DIGEST-MD5 or
CRAM-MD5, introducing a security issue on non SSL accounts and denial of
access on servers refusing plaintext authentications.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=
Versions of packages evolution depends on:
ii evolution-
ii gconf2 2.8.1-4 GNOME configuration database syste
ii gnome-icon-theme 2.8.0-1 GNOME Desktop icon theme
ii gtkhtml3.2 3.2.4-1 HTML rendering/editing library - b
ii libart-2.0-2 2.3.16-6 Library of functions for 2D graphi
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libaudiofile0 0.2.6-5 Open-source version of SGI's audio
ii libbonobo2-0 2.8.0-4 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.8.0-2 The Bonobo UI library
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libcompfaceg1 1989.11.11-24 Compress/decompress images for mai
ii libdb4.2 4.2.52-17 Berkeley v4.2 Database Libraries [
ii libebook8 1.0.3-2 Client library for evolution addre
ii libecal6 1.0.3-2 Client library for evolution calen
ii libedataserver3 1.0.3-2 Utily library for evolution data s
ii libegroupwise6 1.0.3-2 Client library for accessing group
ii libesd-alsa0 [libesd0] 0.2.35-2 Enlightened Sound Daemon (ALSA) -
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgail-common 1.8.2-1 GNOME Accessibility Implementation
ii libgail17 1.8.2-1 GNOME Accessibility Implementation
ii libgal2.2-1 2.2.4-1 G App Libs (run time library)
ii libgal2.2-common 2.2.4-1 G App Libs (common files)
ii libgconf2-4 2.8.1-4 GNOME configuration database syste
ii libgcrypt11 1.2.0-11 LGPL Crypto library - runtime libr
ii libglade2-0 1:2.4.1-1 Library to load .glade files at ru
ii libglib2.0-0 2.4.8-1 The GLib library of C routines
ii libgnome-keyring0 0.4.1-1 GNOME keyring services library
ii libgnome-pilot2 2.0.12-1.1 Support libraries for gnome-pilo...
In Debian Bug tracker #290291, Sebastien Bacher (seb128) wrote : Re: evolution: Evolution does not authenticate using MD5 methods (DIGEST/CRAM) and remains plaintext | #3 |
> Since yesterday's sid update, my Evolution only authenticate using
> plaintext login/password, whether you choose NTLM, DIGEST-MD5 or
> CRAM-MD5, introducing a security issue on non SSL accounts and denial
of
> access on servers refusing plaintext authentications.
evolution has not changed for one month. Did you already had the 2.0.3
version before yesterday ? Do you remember the package you have
updated ? What kind of error do you get exactly ?
Could you run it with CAMEL_DEBUG=all set and attach the log here
(remove the personnal details if you have some in the log) ?
Cheers,
Sebastien Bacer
Debian Bug Importer (debzilla) wrote : | #4 |
Message-Id: <email address hidden>
Date: Thu, 13 Jan 2005 17:48:18 +0100
From: Sebastien Bacher <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: evolution: Evolution does not authenticate using MD5 methods
(DIGEST/CRAM) and remains plaintext
> Since yesterday's sid update, my Evolution only authenticate using
> plaintext login/password, whether you choose NTLM, DIGEST-MD5 or
> CRAM-MD5, introducing a security issue on non SSL accounts and denial
of
> access on servers refusing plaintext authentications.
evolution has not changed for one month. Did you already had the 2.0.3
version before yesterday ? Do you remember the package you have
updated ? What kind of error do you get exactly ?
Could you run it with CAMEL_DEBUG=all set and attach the log here
(remove the personnal details if you have some in the log) ?
Cheers,
Sebastien Bacer
In Debian Bug tracker #290291, Cedric Blancher (blancher-cartel-securite-net) wrote : | #5 |
I can't figure out what could have caused this. Must be some linked
library It can't spot... By the way, CAMEL_DEBUG does not figure some
interesting message except one. The thing is when I try to configure my
account access, login is always set as plaintext. When I try to
validate another mechanism (such as CRAM-MD5), I get this :
(evolution:8343): evolution-
model.c: line 825 (em_folder_
NULL' failed
Thanks for your help.
Debian Bug Importer (debzilla) wrote : | #6 |
Message-Id: <1105719263l.
Date: Fri, 14 Jan 2005 16:14:23 +0000
From: Cedric Blancher <email address hidden>
To: <email address hidden>, Sebastien Bacher <email address hidden>
Subject: Re: evolution: Evolution does not authenticate using MD5 methods
(DIGEST/CRAM) and remains plaintext
I can't figure out what could have caused this. Must be some linked =20
library It can't spot... By the way, CAMEL_DEBUG does not figure some =20
interesting message except one. The thing is when I try to configure my =20
account access, login is always set as plaintext. When I try to =20
validate another mechanism (such as CRAM-MD5), I get this :
(evolution:8343): evolution-
model.c: line 825 (em_folder_
NULL' failed
Thanks for your help.
In Debian Bug tracker #290291, Cedric Blancher (blancher-cartel-securite) wrote : Re: Bug#290291: evolution: Evolution does not authenticate using MD5 methods (DIGEST/CRAM) and remains plaintext | #7 |
Le jeudi 13 janvier 2005 à 17:48 +0100, Sebastien Bacher a écrit :
> evolution has not changed for one month. Did you already had the 2.0.3
> version before yesterday ? Do you remember the package you have
> updated ? What kind of error do you get exactly ?
> Could you run it with CAMEL_DEBUG=all set and attach the log here
> (remove the personnal details if you have some in the log) ?
I don't know what went wrong with my Evolution theses last days, but got
something wierd. However, I could find this bug that fits my situation :
http://
Authentication Type not being stored correctly in account config
Solution : manually edit ~/.gconf/
It works ! So, this what has to be done :
1. shutdown Evolution: "evolution --force-shutdown"
2. shutdown gconfd: "gconftool-2 --shutdown"
3. edit ~/.gconf/
4. Change [protocol]
under <source> (and <transport> if your server requires authentication
for sending)
5. Start evolution (gconfd will restart automatically)
Auth in step 4 being Basic, NTLM, DIGEST-MD5 or CRAM-DM5...
--
Debian Bug Importer (debzilla) wrote : | #8 |
Message-Id: <email address hidden>
Date: Sat, 15 Jan 2005 01:43:52 +0100
From: Cedric Blancher <email address hidden>
To: Sebastien Bacher <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#290291: evolution: Evolution does not authenticate using
MD5 methods (DIGEST/CRAM) and remains plaintext
Le jeudi 13 janvier 2005 =E0 17:48 +0100, Sebastien Bacher a =E9crit :
> evolution has not changed for one month. Did you already had the 2.0.3
> version before yesterday ? Do you remember the package you have
> updated ? What kind of error do you get exactly ?=20
> Could you run it with CAMEL_DEBUG=3Dall set and attach the log here
> (remove the personnal details if you have some in the log) ?
I don't know what went wrong with my Evolution theses last days, but got
something wierd. However, I could find this bug that fits my situation :
http://
Authentication Type not being stored correctly in account config
Solution : manually edit ~/.gconf/
It works ! So, this what has to be done :
1. shutdown Evolution: "evolution --force-shutdown"
2. shutdown gconfd: "gconftool-2 --shutdown"
3. edit ~/.gconf/
4. Change [protocol]
under <source> (and <transport> if your server requires authentication
for sending)
5. Start evolution (gconfd will restart automatically)
Auth in step 4 being Basic, NTLM, DIGEST-MD5 or CRAM-DM5...
--=20
In Debian Bug tracker #290291, Cedric Blancher (blancher-cartel-securite) wrote : | #9 |
So, to eventually close this bug. It is identified in 2.0.3 by upstream
maintainers and a patch[1] has been issued to fix the bug.
What I could see for now : bug is triggered when you open any email
account preferences. All accounts auth type is then reset to plaintext
authentification, although you may not have edited other accounts.
Indeed, I changed an account settings last thursday, day on which I
began to experienced the problem. So, nothing related to a package
update. To get things back, one have to repeat procedure explained in
previous message (or apply patch).
[1] http://
--
http://
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Sun, 16 Jan 2005 10:10:53 +0100
From: Cedric Blancher <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#290291: evolution: Evolution does not authenticate using
MD5 methods (DIGEST/CRAM) and remains plaintext
So, to eventually close this bug. It is identified in 2.0.3 by upstream
maintainers and a patch[1] has been issued to fix the bug.
What I could see for now : bug is triggered when you open any email
account preferences. All accounts auth type is then reset to plaintext
authentification, although you may not have edited other accounts.
Indeed, I changed an account settings last thursday, day on which I
began to experienced the problem. So, nothing related to a package
update. To get things back, one have to repeat procedure explained in
previous message (or apply patch).
[1] http://
--
http://
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
Sebastien Bacher (seb128) wrote : | #11 |
this part of code has changed in 2.1 but that seems to work in hoary, bug closed.
In Debian Bug tracker #290291, Frank Lichtenheld (djpig) wrote : tagging 290291 | #12 |
# Automatically generated email from bts, devscripts version 2.8.5
tags 290291 patch
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <email address hidden>
Date: Fri, 21 Jan 2005 16:16:13 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 290291
# Automatically generated email from bts, devscripts version 2.8.5
tags 290291 patch
In Debian Bug tracker #290291, Jordi Mallach (jordi) wrote : | #14 |
# Automatically generated email from bts, devscripts version 2.8.10
tags 290291 + pending
Debian Bug Importer (debzilla) wrote : | #15 |
Message-Id: <email address hidden>
Date: Tue, 25 Jan 2005 18:52:29 +0100
From: Jordi Mallach <email address hidden>
To: <email address hidden>
Subject: tagging 290291
# Automatically generated email from bts, devscripts version 2.8.10
tags 290291 + pending
In Debian Bug tracker #290291, Jordi Mallach (jordi) wrote : Fixed in NMU of evolution 2.0.3-1.2 | #16 |
tag 290291 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Jan 2005 17:49:41 +0100
Source: evolution
Binary: evolution-dev evolution
Architecture: source i386
Version: 2.0.3-1.2
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Jordi Mallach <email address hidden>
Description:
evolution - The groupware suite
evolution-dev - Development library files for Evolution
Closes: 290291
Changes:
evolution (2.0.3-1.2) unstable; urgency=HIGH
.
* Non-maintainer upload to fix SECURITY issues.
* debian/
- camel/camel-
an integer overflow and malloc()ation of a 0-byte buffer, which was then
filled by an arbitrary amount of user-supplied data. Now restrict
the length of the supplied path to at most 0xFFFF characters (patch
taken from Ubuntu USN-69-1, thanks pitti!).
* debian/
to fix the skipping of the needauth setting (closes: #290291).
* debian/rules: add DEB_FIXPERMS_
* debian/
(this changes camel-lock-help from suid root to sgid mail).
Files:
2a78ec8d55fba5
7e8f066dad4452
53737df6e98123
09a1e0db1d45b6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB9r5+
uuzouQiLVfMbcU/
=qqCB
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #17 |
Message-Id: <email address hidden>
Date: Tue, 25 Jan 2005 17:17:07 -0500
From: Jordi Mallach <email address hidden>
To: <email address hidden>
Cc: Jordi Mallach <email address hidden>, Takuo KITAME <email address hidden>
Subject: Fixed in NMU of evolution 2.0.3-1.2
tag 290291 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Jan 2005 17:49:41 +0100
Source: evolution
Binary: evolution-dev evolution
Architecture: source i386
Version: 2.0.3-1.2
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Jordi Mallach <email address hidden>
Description:
evolution - The groupware suite
evolution-dev - Development library files for Evolution
Closes: 290291
Changes:
evolution (2.0.3-1.2) unstable; urgency=HIGH
.
* Non-maintainer upload to fix SECURITY issues.
* debian/
- camel/camel-
an integer overflow and malloc()ation of a 0-byte buffer, which was then
filled by an arbitrary amount of user-supplied data. Now restrict
the length of the supplied path to at most 0xFFFF characters (patch
taken from Ubuntu USN-69-1, thanks pitti!).
* debian/
to fix the skipping of the needauth setting (closes: #290291).
* debian/rules: add DEB_FIXPERMS_
* debian/
(this changes camel-lock-help from suid root to sgid mail).
Files:
2a78ec8d55fba5
7e8f066dad4452
53737df6e98123
09a1e0db1d45b6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB9r5+
uuzouQiLVfMbcU/
=qqCB
-----END PGP SIGNATURE-----
In Debian Bug tracker #290291, Loïc Minier (lool) wrote : | #18 |
Version: 2.0.3-1.2
Hi,
The NMU below was never acknowledged but was merged and I'm closing
this bug:
On mar, jan 25, 2005, Jordi Mallach wrote: Cheers,
> tag 290291 + fixed
>
> quit
>
> This message was generated automatically in response to a
> non-maintainer upload. The .changes file follows.
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Format: 1.7
> Date: Tue, 25 Jan 2005 17:49:41 +0100
> Source: evolution
> Binary: evolution-dev evolution
> Architecture: source i386
> Version: 2.0.3-1.2
> Distribution: unstable
> Urgency: high
> Maintainer: Takuo KITAME <email address hidden>
> Changed-By: Jordi Mallach <email address hidden>
> Description:
> evolution - The groupware suite
> evolution-dev - Development library files for Evolution
> Closes: 290291
> Changes:
> evolution (2.0.3-1.2) unstable; urgency=HIGH
> .
> * Non-maintainer upload to fix SECURITY issues.
> * debian/
> - camel/camel-
> an integer overflow and malloc()ation of a 0-byte buffer, which was then
> filled by an arbitrary amount of user-supplied data. Now restrict
> the length of the supplied path to at most 0xFFFF characters (patch
> taken from Ubuntu USN-69-1, thanks pitti!).
> * debian/
> to fix the skipping of the needauth setting (closes: #290291).
> * debian/rules: add DEB_FIXPERMS_
> * debian/
> (this changes camel-lock-help from suid root to sgid mail).
> Files:
> 2a78ec8d55fba55
> 7e8f066dad44529
> 53737df6e981236
> 09a1e0db1d45b62
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
>
> iD8DBQFB9r5+
> uuzouQiLVfMbcU/
> =qqCB
> -----END PGP SIGNATURE-----
>
>
>
--
Loïc Minier <email address hidden>
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Mon, 10 Oct 2005 10:52:12 +0200
From: =?iso-8859-
To: <email address hidden>
Subject: Re: Fixed in NMU of evolution 2.0.3-1.2
Version: 2.0.3-1.2
Hi,
The NMU below was never acknowledged but was merged and I'm closing
this bug:
On mar, jan 25, 2005, Jordi Mallach wrote: Cheers,
> tag 290291 + fixed
>=20
> quit
>=20
> This message was generated automatically in response to a
> non-maintainer upload. The .changes file follows.
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> Format: 1.7
> Date: Tue, 25 Jan 2005 17:49:41 +0100
> Source: evolution
> Binary: evolution-dev evolution
> Architecture: source i386
> Version: 2.0.3-1.2
> Distribution: unstable
> Urgency: high
> Maintainer: Takuo KITAME <email address hidden>
> Changed-By: Jordi Mallach <email address hidden>
> Description:=20
> evolution - The groupware suite
> evolution-dev - Development library files for Evolution
> Closes: 290291
> Changes:=20
> evolution (2.0.3-1.2) unstable; urgency=3DHIGH
> .
> * Non-maintainer upload to fix SECURITY issues.
> * debian/
> - camel/camel-
allowed
> an integer overflow and malloc()ation of a 0-byte buffer, which =
was then
> filled by an arbitrary amount of user-supplied data. Now restric=
t
> the length of the supplied path to at most 0xFFFF characters (pa=
tch
> taken from Ubuntu USN-69-1, thanks pitti!).
> * debian/
gzilla
> to fix the skipping of the needauth setting (closes: #290291).
> * debian/rules: add DEB_FIXPERMS_
> * debian/
stall
> (this changes camel-lock-help from suid root to sgid mail).
> Files:=20
> 2a78ec8d55fba55
.2.dsc
> 7e8f066dad44529
-1.2.diff.gz
> 53737df6e981236
.3-1.2_i386.deb
> 09a1e0db1d45b62
.0.3-1.2_i386.deb
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
>=20
> iD8DBQFB9r5+
> uuzouQiLVfMbcU/
> =3DqqCB
> -----END PGP SIGNATURE-----
>=20
>=20
>=20
--=20
Lo=EFc Minier <email address hidden>
Automatically imported from Debian bug report #290291 http:// bugs.debian. org/290291