isync/src
Oswald Buddenhagen 639c84ea28 don't ignore RequireSSL for PREAUTHenticated connections
such connections don't support STARTTLS. that is reasonable, as whatever
makes the connection preauthenticated (typically a Tunnel used to launch
imapd via a shell login) must already rely on the connection's security.
consequently, we would not try to use STARTTLS with such connections.
unfortunately, we'd also skip the RequireSSL check as a side effect.

this means that a rogue server (via a MITM attack) could simply offer a
preauthenticated connection to make us not use SSL, and thus bypass
server authentication. as a result, we could send potentially sensitive
data to the attacker:
- with Patterns used, we would send a LIST command which reveals the
  remote Path setting. this isn't very useful to an attacker. also, IMAP
  Accounts usually rely on the server-provided NAMESPACE to start with.
- with Create enabled for the remote Store, we would upload messages
  from newly appeared local folders. this isn't a very likely situation,
  unless the attacker manages to convince the victim to move/copy
  interesting mails to a new folder right before the attack.
- with Expunge enabled for the local Store, previously synchronized
  folders would be wiped. however, this would require the attacker to
  know the correct UIDVALIDITY of each remote folder, which would
  require incredible luck or convincing the victim to disclose them.
  the first mismatch would likely tip off the victim.

in practice, someone with the level of technical and social engineering
skills required for this attack would very likely find more attractive
attack vectors. therefore, i don't consider this a particularly serious
issue.

configurations with UseIMAPS enabled or using a secure Tunnel were not
affected to start with.

a side effect of this fix is that most users of Tunnel will now need to
explicitly set RequireSSL to false.
an alternative approach would be defaulting all SSL-related settings to
off when Tunnel is used. this would be too invasive for a patch release,
but i'll consider it for 1.2.

see also CVE-2014-2567 for the Trojita MUA.
2014-07-06 09:09:54 +02:00
..
compat error-check renaming of uid mapping database 2014-04-12 18:59:45 +02:00
.gitignore cvsignore => gitignore 2010-02-07 22:31:10 +01:00
common.h make date parsing portable, take 2 2014-01-02 21:09:09 +01:00
config.c assert !where implying !pseudo 2014-04-12 16:06:33 +02:00
config.h reshuffle sources a bit 2013-12-08 23:19:12 +01:00
driver.c reshuffle sources a bit 2013-12-08 23:19:12 +01:00
driver.h reshuffle sources a bit 2013-12-08 23:19:12 +01:00
drv_imap.c don't ignore RequireSSL for PREAUTHenticated connections 2014-07-06 09:09:54 +02:00
drv_maildir.c detect inconsistent state of highest assigned UID 2014-06-28 12:06:12 +02:00
main.c fix segfault on passing --{create,expunge}-{master,slave} 2014-04-12 15:16:22 +02:00
Makefile.am reshuffle sources a bit 2013-12-08 23:19:12 +01:00
mbsync.1 don't ignore RequireSSL for PREAUTHenticated connections 2014-07-06 09:09:54 +02:00
mbsyncrc.sample pre-release doc updates 2013-12-15 13:46:25 +01:00
mdconvert.1 replace FSF address with something more ... contemporary 2012-09-01 21:15:53 +02:00
mdconvert.c fix hypothetical buffer overflows 2014-04-12 13:03:46 +02:00
run-tests.pl reduce FSync option to a boolean 2013-12-08 11:12:09 +01:00
socket.c remove pointless use of AI_V4MAPPED flag 2014-02-02 12:24:34 +01:00
socket.h reshuffle sources a bit 2013-12-08 23:19:12 +01:00
sync.c initialize store_t::name 2014-07-02 08:50:22 +02:00
sync.h reshuffle sources a bit 2013-12-08 23:19:12 +01:00
util.c actually use prime numbers for all hash bucket sizes 2014-03-19 10:27:06 +01:00