[Omail-devel] exploit workaround

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I spent a moment trying to play with vauthenticate and IPC::Open2, 
but I can't make it work. So as a simple workaround, add these lines
of code before the "# 8 possible cases" comment, around line 410:

  # prevent crack discovered on 18.05.04
  if (length($password)>8) {
     omailerror("sorry, your password is too long: max 8 chars");
  }

And you'll be safe against the current exploit. 

What I tried with IPC was:

use IPC::Open2;
use Symbol;

my $WTR = gensym();  # get a reference to a typeglob
my $RDR = gensym();  # and another one

my $tmpout = "";
my $pid = open2($RDR, $WTR, '/usr/bin/hexdump');

print $WTR $domainname . "\x00";
print $WTR $username . "\x00";
print $WTR $password . "\x00";
print $WTR "\n";
close($WTR);   

my $output = "";

while ($tmpout = <$RDR>) {     # now read the output of sort(1)
    $output .= $tmpout;
}

writelog("out: $output  [pid: $pid]");

but $output is always empty... :(  If you have any idea... 

regards,
Olivier

-- 
_______________________________________________________
 Olivier Müller - PGP key ID: 0x0E84D2EA - Switzerland 
    E-Mail: http://omx.ch/mail/ - AIM/iChat: swix3k