[Evolution-hackers] Small patch (security related) for the camel pop3 provider

From: Philip Van Hoof <spamfrommailing freax org>
To: evolution-hackers ximian com
Subject: [Evolution-hackers] Small patch (security related) for the camel pop3 provider
Date: 31 Jul 2003 19:50:44 +0200

Hi there,

While reading the camel-pop3 provider to learn about it and use it for
the SIEVE protocol that I am planning to do, I noticed a tiny little
issue.

The memory where the password of the user was stored only gets free't,
not memset()'t.

I am not sure what most operating systems do but I don't think that they
reset the memory of a free't area, meaning that the password is left
unprotected in the memory. One once told me that you must memset it
before free-ing.

Well, I am not sure.. perhaps this little patch is totally 'not' what
you should do. If it is, then I guess it needs to be fixed in most camel
providers that use authentication.



-- 
Philip Van Hoof, Software Developer @ Cronos
home: me at freax dot org
work: Philip dot VanHoof at cronos dot be
http://www.freax.be, http://www.freax.eu.org

Index: camel-pop3-store.c
===================================================================
RCS file: /cvs/gnome/evolution/camel/providers/pop3/camel-pop3-store.c,v
retrieving revision 1.99
diff -u -u -r1.99 camel-pop3-store.c
--- camel-pop3-store.c	23 Jul 2003 14:57:22 -0000	1.99
+++ camel-pop3-store.c	31 Jul 2003 17:46:32 -0000
@@ -430,6 +430,7 @@
 		}
 
 		ret = camel_stream_printf((CamelStream *)stream, "%s\r\n", resp);
+		memset (resp, '\0', strlen(resp));
 		g_free(resp);
 		if (ret == -1)
 			goto ioerror;

Follow-Ups:
- Re: [Evolution-hackers] Small patch (security related) for the camel pop3 provider
  - From: Not Zed

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]