OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: DiCioccio, Jason (jdicioccioepylon.com)
Date: Fri Jun 07 2002 - 17:40:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Am I crazy or do his comments EVER get closed? Looks wrong to me.

    - --- pine/send.c.orig Tue Jan 8 12:59:37 2002
    +++ pine/send.c Sat Mar 9 09:17:08 2002
    -3989,12 +3989,15

             outgoing->return_path = rfc822_cpy_adr(outgoing->from);

    +
             /*
              * Don't ever believe the sender that is there.
              * If From doesn't look quite right, generate our own sender.
              */
    + /**** fix u-washington anti-privacy loophole
             if(outgoing->sender)
               mail_free_address(&outgoing->sender);
    + /****

             /*
              * If the LHS of the address doesn't match, or the RHS
    -4003,6 +4006,7
              *
              * Don't add a personal_name since the user can change that.
              */
    + /**** fix u-washington anti-privacy loophole
             if(!outgoing->from
                || !outgoing->from->mailbox
                || strucmp(outgoing->from->mailbox, ps_global->VAR_USER_ID) != 0
    -4014,6 +4018,7
                 outgoing->sender->mailbox = cpystr(ps_global->VAR_USER_ID);
                 outgoing->sender->host = cpystr(ps_global->hostname);
             }
    + /****

             /*----- Message is edited, now decide what to do with it
    - ----*/
             if(editor_result & (COMP_SUSPEND | COMP_GOTHUP | COMP_CANCEL)){

    - -----Original Message-----
    From: Roger Marquis [mailto:marquisroble.com]
    Sent: Friday, June 07, 2002 3:15 PM
    To: securityFreeBSD.ORG
    Subject: Pine 4.44 Privacy Patch

    Problem description:

        The Pine email client allows users to define the "From:"
        address independent of their Unix username. This is an
        indispensable feature for help desks and other role accounts.

        Unfortunately, user names and/or ids can still be leaked due to
        Pine's insertion of "Sender:" and/or "X-Sender:" headers. Pine
        versions earlier than 4.44 may also insert the Unix username
        into other envelope and header fields.

    Solution:

        Applying the following patch to pine 4.4 will cause
        {X-}Sender: headers to be omitted. Users may also need to
        define a remote "smtp-server" to prevent certain local MTAs
        from inserting this information. Other details on changing
        Pine's "From:" line are detailed in the FAQ at:

            http://www.washington.edu/pine/faq/config.html#9.5

        To apply this patch, download the source code from:

            ftp://ftp.cac.washington.edu/pine/

        Unpack (tar xzvf ...) and cd into the source directory, apply
        the patch (patch < patch_file_name) and recompile per the
        documentation.

    Disclaimers:

        This patch has been tested under Solaris and FreeBSD operating
        systems using the gcc compiler, however, no warranty is made
        regarding its accuracy or reliability. Use it at your own
        risk.

        Pine and Pico are registered trademarks of the University of
        Washington. No commercial use of these trademarks may be made
        without prior written permission of the University of
        Washington. Pine, Pico, and Pilot software and its included
        text are Copyright 1989-2002 by the University of Washington.

    - --
    Roger Marquis
    Roble Systems Consulting
    http://www.roble.com/

    PS. Anyone interested in submitting this as a port patch?

    - --------------------------------------------------------------------
    - --- pine/send.c.orig Tue Jan 8 12:59:37 2002
    +++ pine/send.c Sat Mar 9 09:17:08 2002
    -3989,12 +3989,15

             outgoing->return_path = rfc822_cpy_adr(outgoing->from);

    +
             /*
              * Don't ever believe the sender that is there.
              * If From doesn't look quite right, generate our own sender.
              */
    + /**** fix u-washington anti-privacy loophole
             if(outgoing->sender)
               mail_free_address(&outgoing->sender);
    + /****

             /*
              * If the LHS of the address doesn't match, or the RHS
    -4003,6 +4006,7
              *
              * Don't add a personal_name since the user can change that.
              */
    + /**** fix u-washington anti-privacy loophole
             if(!outgoing->from
                || !outgoing->from->mailbox
                || strucmp(outgoing->from->mailbox, ps_global->VAR_USER_ID) != 0
    -4014,6 +4018,7
                 outgoing->sender->mailbox = cpystr(ps_global->VAR_USER_ID);
                 outgoing->sender->host = cpystr(ps_global->hostname);
             }
    + /****

             /*----- Message is edited, now decide what to do with it
    - ----*/
             if(editor_result & (COMP_SUSPEND | COMP_GOTHUP | COMP_CANCEL)){
    - --------------------------------------------------------------------

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.4

    iQA/AwUBPQE5BjKUHizV76d/EQL+agCgtuIL5U/0HGqADJRDa3sST5o7phcAn3/9
    LBbh3+oghYTLhbEFrxiKvAt8
    =mT/v
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message