Re: mutt/gpg social attack
On Mon, Aug 23, 2004 at 11:44:15AM +0200, Adeodato Sim?«?? wrote:
> * Thomas Glanzmann [Mon, 23 Aug 2004 09:46:02 +0200]:
> > Hello together,
>
> > http://www.securityfocus.com/bid/10929
>
> oh. if someone feels with some spare time to spend,
> http://bugs.debian.org/265168
> contains the full submitter concerns.
The reporter's point is that Mutt doesn't disable ^H even when
$allow_ansi is unset. (I already asked Jan Minar.)
In fact, I was surprised by his PoC message although my color
for signed messages was not the same as "bold" color.
I didn't think my Mutt allows messages to force coloring.
I think someone may simply believe the "bold" messages like:
[�[t�th�hi�is�s m�me�es�sa�ag�ge�e i�is�s n�no�ot�t s�si�ig�gn�ne�ed�d]�]
Solutions:
0. disable ^H if $allow_ansi is unset.
(because $allow_ansi disables richtext colors, too.)
1. disable ^H if $allow_backspace (new variable) is unset.
(because this is not exactly the same as ANSI colors.)
2. add
color bold default default
color underline default default
to default Muttrc or hard-coded default.
(But this is not perfect. This doesn't work if you are
using "default" colors.)
I wrote a patch for (1) and Jan Minar corrected my English text in it.
Here, (1) and (0) is attached.
--
tamo
This is (1).
--- init.h~ Tue Aug 24 12:04:12 2004
+++ init.h Tue Aug 24 12:28:19 2004
@@ -158,6 +158,16 @@
** message could include a line like "[-- PGP output follows ..." and
** give it the same color as your attachment color.
*/
+ { "allow_backspace", DT_BOOL, R_NONE, OPTALLOWBACKSPACE, 0 },
+ /*
+ ** .pp
+ ** Controls whether backspaces in messages are to be interpreted. Messages
+ ** containing backspaces are rare, but if this option is set, their text
+ ** can be decorated according to the ``color bold'' setting. Note that
+ ** this may present a security problem, since a message could include a
+ ** line like "[-- PGP output follows ..." and give it the same (or similar)
+ ** color as your attachment color.
+ */
{ "arrow_cursor", DT_BOOL, R_BOTH, OPTARROWCURSOR, 0 },
/*
** .pp
--- mutt.h~ Tue Aug 24 12:12:40 2004
+++ mutt.h Tue Aug 24 12:13:05 2004
@@ -325,6 +325,7 @@
{
OPTALLOW8BIT,
OPTALLOWANSI,
+ OPTALLOWBACKSPACE,
OPTARROWCURSOR,
OPTASCIICHARS,
OPTASKBCC,
--- pager.c~ Tue Aug 24 11:43:49 2004
+++ pager.c Tue Aug 24 12:04:05 2004
@@ -1109,12 +1109,12 @@
k2 = mbrtowc (&wc1, (char *)buf+ch+k1, cnt-ch-k1, &mbstate1),
k2 > 0 && IsWPrint (wc1)))
{
- if (wc == wc1)
+ if ((option (OPTALLOWBACKSPACE)) && wc == wc1)
{
special |= (wc == '_' && special & A_UNDERLINE)
? A_UNDERLINE : A_BOLD;
}
- else if (wc == '_' || wc1 == '_')
+ else if ((option (OPTALLOWBACKSPACE)) && (wc == '_' || wc1 == '_'))
{
special |= A_UNDERLINE;
wc = (wc1 == '_') ? wc : wc1;
This is (0).
--- pager.c~ Tue Aug 24 11:43:49 2004
+++ pager.c Tue Aug 24 12:04:05 2004
@@ -1109,12 +1109,12 @@
k2 = mbrtowc (&wc1, (char *)buf+ch+k1, cnt-ch-k1, &mbstate1),
k2 > 0 && IsWPrint (wc1)))
{
- if (wc == wc1)
+ if ((option (OPTALLOWANSI)) && wc == wc1)
{
special |= (wc == '_' && special & A_UNDERLINE)
? A_UNDERLINE : A_BOLD;
}
- else if (wc == '_' || wc1 == '_')
+ else if ((option (OPTALLOWANSI)) && (wc == '_' || wc1 == '_'))
{
special |= A_UNDERLINE;
wc = (wc1 == '_') ? wc : wc1;
--- init.h~ Tue Aug 24 16:56:49 2004
+++ init.h Tue Aug 24 16:57:50 2004
@@ -151,7 +151,7 @@
/*
** .pp
** Controls whether ANSI color codes in messages (and color tags in
- ** rich text messages) are to be interpreted.
+ ** rich text messages and ^H sequences) are to be interpreted.
** Messages containing these codes are rare, but if this option is set,
** their text will be colored accordingly. Note that this may override
** your color choices, and even present a security problem, since a