Opened by Sankar P (reporter, points: 15) 2007-03-30 04:54 UTC [reply] gaetan.leurent ens.fr wrote: > I found a security vulnerability in the APOP authentication. It is > related to recent collision attacks by Wang and al. against MD5. The > basic idea is to craft a pair of message-ids that will collide in the > APOP hash if the password begins in a specified way. So the attacker > would impersonate a POP server, and send these msg-id; the client will > return the hash, and the attacker can learn some password characters. > > The msg-ids will be generated from a MD5 collision: if you have two > colliding messages for MD5 "<????@????>x" and "<¿¿¿¿@¿¿¿¿>x", and the > message are of length two blocks, then you will use "<????@????>" and > "<¿¿¿¿@¿¿¿¿>" as msg-ids. When the client computes MD5(msg-id||passwd) > with these two, it will collide if the first password character if 'x', > no matter what is next (since we are at a block boundary, and the end of > the password will be the same in the two hashs). Therefore you can > learn the password characters one by one (actually you can only recover > three of them, due to the way MD5 collisions are computed). > > This attack is really a practical one: it needs about an hour of > computation and a few hundred authentications from the client, and can > recover three password characters. I tested it against Evolution, and > it does work. > > However, using the current techniques available to attack MD5, the > msg-ids sent by the server can easily be distinguished from genuine ones > as they will not respect the RFC specification. In particular, they > will contain non-ASCII characters. Therefore, as a security > countermeasure, I think Evolution should reject msg-ids that does not > conform to the RFC.
gnome-office please advise.
Patch to fix this issue was added in evolution-data-server-1.8.3-r3 and evolution-data-server-1.10.1-r1. 1.10 is unstable (and even currently hardmasked). 1.8.3-r3 should be stabilized together with gnome 2.16.3 (bug 171107).
Peter any ETA on when 2.16.3 is going stable?
I am finishing generating the lists today and then arches will be doing their work for however long they need. The bug not being currently security related doesn't help there, I suppose. I can mention in the comments though. Another option is to move the evo stabling to this bug when the lists are done and mention that some parts of the 2.16.3 bug are strongly encouraged to do first.
Thx for the status Mart. I don't think this bug alone is worth rushing stable marking of 2.16.3. On the other hand it shouldn't take months to get this fixed. Please keep us posted on depended bugs.
evolution-data-server-1.8.3-r4 is now stable on all arches with a stable tree, except arm which I don't believe to be a security supported arch. This is -r4 not -r3 as mentioned in comment #2. Revisions in the 1.10 series that were affected have been long removed. A version from the old 1.6 series for GNOME-2.14 remains in the tree until Gnome 2.14 is removed as a whole in the future.
1. it probably affects all softwares that use APOP. It's more a protocol weakness than a software vulnerability. 2. the impact is very weak... and needs more attacks to be harmful (MITM + passwd guess) --> i vote noglsa.
You're correct. Voting NO and closing. Feel free to reopen if you disagree.
