From owner-freebsd-ports  Sat Mar 24  7:19:16 2001
Delivered-To: freebsd-ports@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 854C637B71B
	for <freebsd-ports@hub.freebsd.org>; Sat, 24 Mar 2001 07:18:57 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f2OF6cp51105;
	Sat, 24 Mar 2001 07:06:38 -0800 (PST)
	(envelope-from gnats)
Received: from blues.jpj.net (blues.jpj.net [204.97.17.146])
	by hub.freebsd.org (Postfix) with ESMTP id 9439537B71A
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 24 Mar 2001 06:45:34 -0800 (PST)
	(envelope-from trevor@jpj.net)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f2OEjXK16859
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 24 Mar 2001 09:45:33 -0500 (EST)
Message-Id: <20010324091457.U3795-100000@blues.jpj.net>
Date: Sat, 24 Mar 2001 09:45:33 -0500 (EST)
From: Trevor Johnson <trevor@jpj.net>
To: <FreeBSD-gnats-submit@freebsd.org>
Subject: ports/26052: patch for mail/pine4 against passive fingerprinting
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         26052
>Category:       ports
>Synopsis:       patch for mail/pine4 against passive fingerprinting
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 24 07:06:29 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Trevor Johnson (trevor@freebsd.org)
>Release:        4-STABLE
>Organization:
myself
>Environment:

FreeBSD localhost.localdomain 4.2-STABLE FreeBSD 4.2-STABLE #0: Sun Feb 11 07:43:35 PST 2001     root@localhost.localdomain:/usr/src/sys/compile/4_2_STABLE_A  i386

>Description:

Pine puts unnecessary information in the Message-ID header:  a
three-letter code which denotes the operating system and (for some
operating systems, not FreeBSD) the approximate version of the OS
and information on certain system software (again not for FreeBSD),
the version of Pine, and the word "PINE".  As described in
http://www.crimelabs.net/docs/passive.html , this information could
be of use to someone with malicious intentions.  For instance,
suppose a user runs a version of Pine with known vulnerabilities,
and that the user posts to public mailing lists, or to USENET.  An
attacker could examine the posts without the user's knowledge and
send a malicious message tailored to that particular version of
Pine.  The attack would be almost sure to succeed.  If this
information were withheld, the attacker might have to try several
attacks before succeeding, so the chances of the user discovering
the attack would be greater.  I've prepared a patch which stops
Pine from sending this information.

On 2001-02-11 I sent this (with a trivial difference - 26 instead
of 'Z' - 'A') to pine@cac.washington.edu (AFAIK the preferred
address for submitting patches to the Pine developers), Michael
Elkins (author of Mutt, from which I took the format string, and
which has a similar problem) and to Jose Nazario
<jose@SPAM.THEGEEKEMPIRE.NET>, author of the Crimelabs article.
The next day, I sent the patch to petef@databits.net (maintainer
of the mail/pine4 port) with a note that the 26 should be replaced
by 'Z' - 'A'.  I asked that the patch be considered for the FreeBSD
port.  The only response I've received has been a favorable one
from Jose Nazario.

>How-To-Repeat:

Send a message with pine.  Look at the Message-ID header.

>Fix:

Index: files/patch-reply.c
===================================================================
RCS file: patch-reply.c
diff -N patch-reply.c
--- /dev/null	Sat Mar 24 05:58:53 2001
+++ patch-reply.c	Sat Mar 24 05:52:22 2001
@@ -0,0 +1,37 @@
+--- pine/reply.c.orig	Wed Jan 24 18:35:05 2001
++++ pine/reply.c	Sun Feb 11 12:15:03 2001
+@@ -4967,23 +4967,24 @@
+ char *
+ generate_message_id()
+ {
+-    static short osec = 0, cnt = 0;
++    struct timeval tp;
++    struct timezone tzp;
++    static short osec = 0;
++    static char cnt;
+     char        *id;
+     time_t       now;
+     struct tm   *now_x;
+
+     now   = time((time_t *)0);
+     now_x = localtime(&now);
+-    id    = (char *)fs_get(128 * sizeof(char));
++    id    = (char *)fs_get(384 * sizeof(char));
+
+-    if(now_x->tm_sec == osec){
+-	cnt++;
+-    }else{
+-	cnt = 0;
+-	osec = now_x->tm_sec;
+-    }
+-    sprintf(id,"<Pine.%.4s.%.20s.%02d%02d%02d%02d%02d%02d%X.%d@%.50s>",
+-	    SYSTYPE, pine_version, (now_x->tm_year) % 100, now_x->tm_mon + 1,
++    cnt = 'A';
++    if(gettimeofday(&tp, &tzp) == 0)
++	    cnt += (time_t)tp.tv_usec % ('Z' - 'A');
++
++    sprintf(id,"<%d%02d%02d%02d%02d%02d.%c%d@%s>",
++	    (now_x->tm_year) + 1900, now_x->tm_mon + 1,
+ 	    now_x->tm_mday, now_x->tm_hour, now_x->tm_min, now_x->tm_sec,
+ 	    cnt, getpid(), ps_global->hostname);
+

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message