edgy beta - mutt sasl authentication broken

Bug #65821 reported by brad clawsie
256
Affects Status Importance Assigned to Milestone
mutt (Ubuntu)
Undecided
Kees Cook

Bug Description

Binary package hint: mutt

on edgy beta, using mutt with sasl authentication to connect to my imaps:// provider (fastmail.fm). repeated and reproducable sasl authentication errors.

both dapper lts and debian etch mutt/sasl packages not showing these errors, if it is worthwhile to diff.

i hesitate to label this a security issue since this will certainly put this on many people's radars, but users will be expecting sasl to provide security features which will not be functioning.

Revision history for this message
Colin Watson (cjwatson) wrote :

Hmm. While there are a number of changes in the SASL code from dapper (1.5.11-3ubuntu2) to edgy (1.5.12-1ubuntu1), there are none that I can see from edgy (1.5.12-1ubuntu1) to etch (1.3.13-1). The Ubuntu-specific change in edgy is just a trivial MTA dependency change.

Perhaps it might help if you could quote the exact errors you're seeing?

Changed in mutt:
status: Unconfirmed → Needs Info
Revision history for this message
brad clawsie (b7j0c) wrote :

my specific issue was upon imaps login and mailbox access to fastmail.fm (mail.messagingengine.com). i am not sure if they employ a nonstandard configuration, assume it is compliant imaps as advertised. upon logging in i would just get a "sasl error" in red text in the mutt status bar. this is not a credential issue - my username and passphrase are correct in my .muttrc.

for now i have replaced edgy with etch, so i cannot reproduce at this time. fastmail.fm offers free accounts with imaps access, you should be able to reproduce given this, and then do more intelligent diagnosis if you wish.

i also understand if you conclude that i just screwed this up somehow, although i was using a fresh edgy beta install at the time.

thanks for your attention colin
brad

Revision history for this message
Daniel Robitaille (robitaille) wrote :

Tonight I tried mutt for the first time on Edgy (with my fastmail.fm email account, so a similar situation to Brad), using the exact same mutt configuration I'm using successfully under Dapper, and I get that exact same problem: A SASL authentication error is displayed in red when mutt tries to connect to the fastmail imaps server.

A google search turns out this:
http://permalink.gmane.org/gmane.mail.mutt.devel/11618

but I'm not sure if this is related to this specific problem in Edgy since this is specific to cyrus-sasl

Revision history for this message
Daniel Robitaille (robitaille) wrote :

running "mutt -d 1" to turn on debugging mode only shows these lines at the end of the debug log file:

local ip: 192.168.1.101;1408, remote ip:66.111.4.51;993
SASL authentication failed.

Revision history for this message
Kees Cook (kees) wrote :

I have no problems using mutt+imaps against an IMAPS dovecot 1.0.rc7-1 server on a Debian unstable box, but I do see errors against fastmail's IMAPS server.

I wouldn't think the mutt-devel issue that was posted is a problem, since the cyrus-sasl version on Edgy is 2.1.19, and they're talking about a 2.1.21->2.1.22 breakage.

Revision history for this message
Kees Cook (kees) wrote :

fastmail seems to be rejecting "AUTHENTICATE OTP". When I run mutt with "-d 9", I get a full report of the communication:

< * OK IMAP4 ready
> a0000 CAPABILITY
< * CAPABILITY IMAP4 ... IDLE AUTH=OTP SASL-IR
> a0001 AUTHENTICATE OTP *******************
< a0001 BAD invalid command

(My dovecot system uses AUTH=PLAIN since it's already over SSL.)

Under Dapper, it seems that mutt falls back to "LOGIN":

> a0001 AUTHENTICATE OTP
< a0001 BAD invalid command
imap_auth_sasl: IMAP4 I... AUTH=OTP SASL-IR failed
> a0002 LOGIN "<email address hidden>" "*****"
< a0002 OK User logged in

This seems to say you can specify "LOGIN" as the auth method, but it doesn't work for me:
http://www.mutt.org/doc/devel/manual.html#imap-authenticators

Revision history for this message
Daniel Robitaille (robitaille) wrote :

I have installed Dapper's mutt (1.5.11-3ubuntu2.1), which needs to install libgnutls12 as well, on my Edgy computer and the problem went away.

So it would seems the problem is with the mutt package in Edgy, or due to mutt's transition from libgnutls12 to libgnutls13

The debug log when using Dapper's mutt (1.5.11-3ubuntu2.1) in Edgy:

============
< * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UN
SELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=OTP S
ASL-IR
Handling CAPABILITY
< a0000 OK completed
imap_authenticate: Using any available method.
local ip: 192.168.1.101;2435, remote ip:66.111.4.51;993
External SSF: 256
External authentication name: <email address hidden>
mutt_sasl_cb_authname: getting authname for mail.messagingengine.com:993
mutt_sasl_cb_authname: getting user for mail.messagingengine.com:993
mutt_sasl_cb_pass: getting password for <email address hidden>@mail.messagingengine.com:993
> a0001 AUTHENTICATE OTP
< a0001 BAD invalid command
imap_auth_sasl: IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME U
NSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=OTP
SASL-IR failed
> a0002 LOGIN "<email address hidden>" "xxxxxxxxxx"
< a0002 OK User logged in
Communication encrypted at 256 bits

And this is using Edgy's mutt (1.5.12-1ubuntu1) in Edgy with the exact same mutt configuration:

< * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=OTP SASL-IR
Handling CAPABILITY
< a0000 OK completed
imap_authenticate: Using any available method.
local ip: 192.168.1.101;3281, remote ip:66.111.4.51;993
External SSF: 128
External authentication name: <email address hidden>
mutt_sasl_cb_authname: getting authname for mail.messagingengine.com:993
mutt_sasl_cb_authname: getting user for mail.messagingengine.com:993
mutt_sasl_cb_pass: getting password for <email address hidden>@mail.messagingengine.com:993
> a0001 AUTHENTICATE OTP cm9iaXRhaWxsZUBmYXN0bWFpbC5mbQByb2Zt
< a0001 BAD invalid command
SASL authentication failed.

Revision history for this message
brad clawsie (b7j0c) wrote :

> due to mutt's transition from libgnutls12 to libgnutls13

for what it is worth, debian etch has mutt (1.5.13-1) using libgnutls13 (1.4.4-1), and does not manifest this issue

Revision history for this message
Kees Cook (kees) wrote :

There was a change is mutt's handling of an IMAP "BAD" response. However, Etch's libsasl2 doesn't seem to recognize fastmail's OTP method, so it doesn't get a chance to hit the bug. Attached is a possible -proposed update for the bug, which fixes the behavior for me, and restores the prior intent of the mapping from IMAP_CMD_BAD => IMAP_AUTH_UNAVAIL which lets the sasl auth system end gracefully, at which point mutt fallback to other authenticators, such as "LOGIN".

Changed in mutt:
status: Needs Info → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :
Martin Pitt (pitti)
Changed in mutt:
assignee: nobody → keescook
Revision history for this message
Kees Cook (kees) wrote :

Here is upstream's solution.

Revision history for this message
Kees Cook (kees) wrote :

For reference, upstream's discussion

http://thread.gmane.org/gmane.mail.mutt.devel/11773

Revision history for this message
Kees Cook (kees) wrote :

Fixed in 1.5.13-1.1ubuntu2 for feisty. :)

Changed in mutt:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers