914426 – net-mail/asmail-2.1: uses deprecated MD5

Bug 914426 - net-mail/asmail-2.1: uses deprecated MD5

Summary: net-mail/asmail-2.1: uses deprecated MD5

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-19 09:09 UTC by Pascal Jäger
Modified:	2023-09-27 02:17 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pascal Jäger 2023-09-19 09:09:24 UTC

The program uses MD5, deprecated by Openssl and considered insecure. 

Package has not been updated since 2011 and usage is questionable, upstream is dead.

Reproducible: Always

Comment 1 Sam James archtester

2023-09-19 09:10:04 UTC

What is it actually using md5 for? It's fine in some contexts.

Comment 2 Hans de Graaff gentoo-dev

2023-09-24 06:50:08 UTC

The man page mentions POP3 authentication. Not sure if this is a problem in practice since I think you'll have a hard time finding a POP3 server that still allows non-tls authentication.

Comment 3 Pascal Jäger 2023-09-25 14:42:57 UTC

I was aiming for last riting the package and the security bug was just the cause I needed, tbh. 

The packages from https://tigr.net/afterstep/applets/ are all stale, most of them maintainer needed, last update about two decades ago. And than this vulnerability.

Comment 4 Sam James archtester

2023-09-27 02:17:34 UTC

I understand the intent, but I feel like that's kind of abuse of the procedure.

If you think there's an actual vulnerability, please state it clearly. Using MD5 *anywhere in the program* doesn't make it vulnerable - it depends on how it's used and what for.