From nobody@FreeBSD.org  Fri Jul 20 12:34:28 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C101737B405
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 20 Jul 2001 12:34:27 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f6KJYRm75895;
	Fri, 20 Jul 2001 12:34:27 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200107201934.f6KJYRm75895@freefall.freebsd.org>
Date: Fri, 20 Jul 2001 12:34:27 -0700 (PDT)
From: "Antonio M. D'souza" <quik@quikbox.ca>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Potential security issues in Balsa & Encompass
X-Send-Pr-Version: www-1.0

>Number:         29112
>Category:       ports
>Synopsis:       Potential security issues in Balsa & Encompass
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnome
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 20 12:40:01 PDT 2001
>Closed-Date:    Mon Aug 20 04:44:47 PDT 2001
>Last-Modified:  Mon Aug 20 04:45:18 PDT 2001
>Originator:     Antonio M. D'souza
>Release:        4.3-stable
>Organization:
University of Waterloo
>Environment:
FreeBSD quikbox.ca 4.3-STABLE 
FreeBSD 4.3-STABLE #1: Wed May  9 22:53:16 EDT 2001
alex@rn-respw2a14.uwaterloo.ca:/usr/obj/usr/src/sys/QUIK  i386
>Description:
At the end of building both Encompass and Balsa, I get this series of security warnings:
/usr/lib/libc.so.4: WARNING!  setkey(3) not present in the system!
/usr/lib/libc.so.4: warning: this program uses gets(), which is unsafe.
/usr/lib/libc.so.4: warning: mktemp() possibly used unsafely; consider using mkstemp()
/usr/lib/libc.so.4: WARNING!  des_setkey(3) not present in the system!
/usr/lib/libc.so.4: WARNING!  encrypt(3) not present in the system!
/usr/lib/libc.so.4: warning: tmpnam() possibly used unsafely; consider using mkstemp()
/usr/lib/libc.so.4: warning: this program uses f_prealloc(), which is stupid.
/usr/lib/libc.so.4: WARNING!  des_cipher(3) not present in the system!
/usr/lib/libc.so.4: warning: tempnam() possibly used unsafely; consider using mkstemp()
>How-To-Repeat:
Build the Balsa (or Encompass) port on a FreeBSD 4.3-stable box
>Fix:

>Release-Note:
>Audit-Trail:

From: John Merryweather Cooper <jmcoopr@webmail.bmi.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc: quik@quikbox.ca, gnome@FreeBSD.org
Subject: Re: ports/29112: Potential security issues in Balsa & Encompass
Date: Fri, 20 Jul 2001 15:30:02 -0700

 This is a multi-part message in MIME format.
 --------------060900050401060304070205
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Well, I've got a fix for the crypto--but, of course, IMHO, it makes 
 Balsa a RESTRICTED port of little use to the original reporter. 
 Nevertheless, this diff -ruN from balsa-1.1.7 to balsa-1.1.7_1 does 
 clean up the build considerably . . . and implements SSL support.
 
 See attached.
 
 jmc
 
 --------------060900050401060304070205
 Content-Type: text/plain;
  name="balsa.update.3"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="balsa.update.3"
 
 diff -ruN balsa/Makefile balsa.new/Makefile
 --- balsa/Makefile	Fri Jul 20 08:04:16 2001
 +++ balsa.new/Makefile	Fri Jul 20 15:17:07 2001
 @@ -2,11 +2,12 @@
  # Date created:				02 December 1998
  # Whom:					Glenn Johnson <gljohns@bellsouth.net>
  #
 -# $FreeBSD: ports/mail/balsa/Makefile,v 1.47 2001/07/20 12:09:05 sobomax Exp $
 +# $FreeBSD: ports/mail/balsa/Makefile,v 1.46 2001/06/19 09:42:54 ade Exp $
  #
  
  PORTNAME=	balsa
  PORTVERSION=	1.1.7
 +PORTREVISION=	1
  CATEGORIES=	mail gnome
  MASTER_SITES=	http://www.theochem.kth.se/~pawsa/balsa/ \
  		ftp://ftp.newton.cx/pub/balsa/
 @@ -16,25 +17,19 @@
  LIB_DEPENDS=	esmtp.5:${PORTSDIR}/mail/libesmtp
  
  USE_X_PREFIX=	yes
 +USE_GMAKE=	yes
  USE_GNOME=	yes
  USE_LIBTOOL=	yes
 -LIBTOOLFILES=	libmutt/configure
 +USE_AUTOMAKE=	yes
 +USE_OPENSSL=	yes
 +RESTRICTED=	"Now uses US-only libcipher"
 +LIBTOOLFILES=	configure libmutt/configure
  CONFIGURE_ARGS=	--enable-threads \
  		--enable-gtkhtml \
 -		--disable-more-warnings
 +		--disable-more-warnings \
 +		--with-ssl
  CONFIGURE_ENV=	CPPFLAGS="-I${LOCALBASE}/include" \
 -		LIBS="-L${LOCALBASE}/lib -lgiconv"
 -
 +		LIBS="-L${LOCALBASE}/lib"
  MAN1=		balsa.1
 -
 -pre-patch:
 -	@${PERL} -pi -e 's|-lpthread|${PTHREAD_LIBS}|g ; \
 -		 s|DATADIRNAME=lib|DATADIRNAME=share|g ; \
 -		 s|-liconv|-lgiconv|g ; s|iconv_open|libiconv_open|g' \
 -			${WRKSRC}/configure
 -	@find ${WRKSRC} -name "Makefile.in" | xargs ${PERL} -pi -e \
 -		's|\$\(datadir\)/gnome/|\$\(datadir\)/|g ; \
 -		 s|\$\(datadir\)/locale|\$\(prefix\)/share/locale|g ; \
 -		 s|\$\(gnomedatadir\)/gnome|\$\(gnomedatadir\)|g'
  
  .include <bsd.port.mk>
 diff -ruN balsa/files/patch-aa balsa.new/files/patch-aa
 --- balsa/files/patch-aa	Wed Feb  7 04:30:13 2001
 +++ balsa.new/files/patch-aa	Wed Jul 18 15:02:53 2001
 @@ -1,14 +1,19 @@
 -
 -$FreeBSD: ports/mail/balsa/files/patch-aa,v 1.2 2001/02/07 12:30:13 sobomax Exp $
 -
 ---- src/Makefile.in.orig	Wed Feb  7 13:35:25 2001
 -+++ src/Makefile.in	Wed Feb  7 13:36:25 2001
 -@@ -152,7 +152,7 @@
 +--- configure.in	Fri Jul 13 02:09:44 2001
 ++++ configure.in.new	Wed Jul 18 15:02:00 2001
 +@@ -458,12 +458,12 @@
 + 	AC_MSG_RESULT([no])
 + fi
 + dnl #############################################################
 +-dnl Link with iconv for charset translation, if not found
 ++dnl Link with giconv for charset translation, if not found
 + dnl without library.  Needed for libmutt.
 + dnl #############################################################
 +-AC_CHECK_LIB(iconv, iconv_open, , [
 +-	AC_CHECK_FUNC(iconv_open, , [
 +-			AC_MSG_ERROR([*** You need iconv for libmutt.])
 ++AC_CHECK_LIB(giconv, libiconv_open, , [
 ++	AC_CHECK_FUNC(libiconv_open, , [
 ++			AC_MSG_ERROR([*** You need giconv for libmutt.])
 + 			])
 + 	])
   
 - CFLAGS = @CFLAGS@ $(GTKHTML_CFLAGS) $(PIXBUF_FLAGS)
 - 
 --balsa_LDADD =  	$(top_builddir)/libbalsa/libbalsa.a		$(top_builddir)/libmutt/imap/libimap.a		$(top_builddir)/libmutt/libmutt.a		$(top_builddir)/libinit_balsa/libinit_balsa.a 	-lpspell 	-lltdl 	@LIBESD_LIB@ 	$(GNOME_LIBDIR) 	$(GNOMEUI_LIBS) 	$(INTLLIBS) 	$(PTHREAD_LIB) 	$(GNOME_PRINT_LIBS) 	$(GTKHTML_LIBS)		$(PIXBUF_LIBS)
 -+balsa_LDADD =  	$(top_builddir)/libbalsa/libbalsa.a		$(top_builddir)/libmutt/imap/libimap.a		$(top_builddir)/libmutt/libmutt.a		$(top_builddir)/libinit_balsa/libinit_balsa.a 	-lpspell 	@LIBESD_LIB@ 	$(GNOME_LIBDIR) 	$(GNOMEUI_LIBS) 	$(INTLLIBS) 	$(PTHREAD_LIB) 	$(GNOME_PRINT_LIBS) 	$(GTKHTML_LIBS)		$(PIXBUF_LIBS)
 - 
 - 
 - balsa_DEPENDENCIES =  	$(top_builddir)/libbalsa/libbalsa.a		$(top_builddir)/libmutt/libmutt.a	        $(top_builddir)/libmutt/imap/libimap.a		$(top_builddir)/libmutt/libmutt.a		$(top_builddir)/libinit_balsa/libinit_balsa.a
 diff -ruN balsa/files/patch-ab balsa.new/files/patch-ab
 --- balsa/files/patch-ab	Tue Sep 19 00:57:34 2000
 +++ balsa.new/files/patch-ab	Wed Jul 18 15:08:22 2001
 @@ -1,13 +1,11 @@
 ---- configure	2000/09/19 07:22:11	1.1
 -+++ configure	2000/09/19 07:29:28
 -@@ -3480,8 +3480,8 @@
 - fi
 +--- Makefile.am	Fri Oct  6 12:19:22 2000
 ++++ Makefile.am.new	Wed Jul 18 15:07:44 2001
 +@@ -5,7 +5,7 @@
 + pixmapdir = $(gnomedatadir)/pixmaps
 + pixmap_DATA = gnome-balsa2.png
   
 +-desktopdir = $(gnomedatadir)/gnome/apps/Internet
 ++desktopdir = $(gnomedatadir)/apps/Internet
 + desktop_DATA = balsa.desktop
   
 --LDFLAGS="$balsa_save_LDFLAGS"
 --LIBS="$balsa_save_LIBS"
 -+#LDFLAGS="$balsa_save_LDFLAGS"
 -+#LIBS="$balsa_save_LIBS"
 - 
 - for ac_hdr in libgnomeui/gnome-window-icon.h
 - do
 + EXTRA_DIST = \
 diff -ruN balsa/files/patch-ac balsa.new/files/patch-ac
 --- balsa/files/patch-ac	Wed Dec 31 16:00:00 1969
 +++ balsa.new/files/patch-ac	Fri Jul 20 15:14:55 2001
 @@ -0,0 +1,19 @@
 +--- src/Makefile.am	Thu Jul 12 00:08:46 2001
 ++++ src/Makefile.am.new	Fri Jul 20 15:14:11 2001
 +@@ -61,7 +61,7 @@
 + balsa_SOURCES = $(balsa_BASE_SOURCES) $(balsa_IDL_SOURCES)
 + 
 + INCLUDES = \
 +-	-DGNOMELOCALEDIR=\""$(datadir)/locale"\" \
 ++	-DGNOMELOCALEDIR=\""$(prefix)/share/locale"\" \
 + 	-I$(top_srcdir) \
 + 	-I$(top_srcdir)/libbalsa \
 + 	-I$(top_srcdir)/libmutt \
 +@@ -76,6 +76,7 @@
 + 	$(top_builddir)/libinit_balsa/libinit_balsa.a \
 + 	-lpspell \
 + 	-lltdl \
 ++	-lcipher \
 + 	@LIBESD_LIB@ \
 + 	$(GNOME_LIBDIR) \
 + 	$(GNOMEUI_LIBS) \
 diff -ruN balsa/files/patch-ltmain.sh balsa.new/files/patch-ltmain.sh
 --- balsa/files/patch-ltmain.sh	Fri Jul 20 05:09:05 2001
 +++ balsa.new/files/patch-ltmain.sh	Wed Dec 31 16:00:00 1969
 @@ -1,18 +0,0 @@
 -
 -$FreeBSD: ports/mail/balsa/files/patch-ltmain.sh,v 1.1 2001/07/20 12:09:05 sobomax Exp $
 -
 ---- ltmain.sh	2001/07/20 11:55:49	1.1
 -+++ ltmain.sh	2001/07/20 11:56:15
 -@@ -4175,10 +4175,12 @@
 - 	fi
 - 
 - 	# Install the pseudo-library for information purposes.
 -+	if false; then
 - 	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
 - 	instname="$dir/$name"i
 - 	$show "$install_prog $instname $destdir/$name"
 - 	$run eval "$install_prog $instname $destdir/$name" || exit $?
 -+	fi
 - 
 - 	# Maybe install the static library, too.
 - 	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
 
 --------------060900050401060304070205--
 

From: John Merryweather Cooper <jmcoopr@webmail.bmi.net>
To: freebsd-gnats-submit@FreeBSD.org, quik@quikbox.ca
Cc:  
Subject: Re: ports/29112: Potential security issues in Balsa & Encompass
Date: Tue, 24 Jul 2001 11:36:42 -0700

 Well, the problem is NOT in any of Balsa's source code.  I've grepped, 
 eye-balled, head-banged, etc. the entire source code and I can conclude:
 
 1) setkey(3), des_setkey(3), encrypt(3), and des_cipher(3) reside in 
 libcipher--correct me if I'm wrong, but this is a US-only library (at
 least legally).  Since S/MIME is not currently implemented (but there
 are plans to do so for Balsa), lacking these functions produces the
 warnings--but does not appear to affect function--
 
 2) mktemp() is not used anywhere in Balsa.  Balsa "rolls it's own"
 mktemp which resides in libmutt.  There maybe a performance advantage
 to using mkstemp() as a replacement (I will verify this)--
 
 3) gets() is not used anywhere in Balsa--fgets() is properly used
 instead--
 
 4) tmpnam() and tempnam() are not used anywhere in Balsa--all temp
 files appear to be generated using the libmutt "roll it's own"
 mktemp() replacment--
 
 Conclusion:  the gets(), mktemp(), tmpnam(), and tempnam() warnings
 appear to come as a result of support code from outside Balsa.  I
 haven't isolated which modules, yet . . .
 

From: John Merryweather Cooper <jmcoopr@webmail.bmi.net>
To: freebsd-gnats-submit@FreeBSD.org, quik@quikbox.ca
Cc:  
Subject: Re: ports/29112: Potential security issues in Balsa & Encompass
Date: Sat, 11 Aug 2001 00:16:04 -0700

 tmpnam() comes from Xlib
 
 The other symbols appear to come Balsa's linkage with libc itself.
 
 Curiously, none of these symbols are used/called by Balsa or it's 
 support libraries.
 
 About the best that can be said is that the linkage warnings are set at 
 a (perhaps appropriate) low threshold.
 
 The setkey(), des_setkey(), and des_cipher() warnings can be made to go 
 away for this (and other) ports by linking with libcipher.  Perhaps the 
 ports widgets can be modified to add libcipher to the library chain with 
 libc in appropriate circumstances.  However, no additional functionality 
 results from this.
 
 Short of expunging the remaining symbols from libc (far from 
 likely--they're all standard calls), there's nothing more to do.
 
 jmc
 
Responsible-Changed-From-To: freebsd-ports->gnome 
Responsible-Changed-By: ijliao 
Responsible-Changed-When: Sat Aug 18 00:14:21 PDT 2001 
Responsible-Changed-Why:  
over to maintainer 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29112 
State-Changed-From-To: open->closed 
State-Changed-By: sobomax 
State-Changed-When: Mon Aug 20 04:44:47 PDT 2001 
State-Changed-Why:  
Superseeded by ports/29261. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29112 
>Unformatted:
