Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 25
crypto weakness #2

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

axmail-2.3.1/axmail.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 25 crypto weakness.

 	}
	
	if (!local) {
		if ((mail_allowed == 1) && (strcmp(pw->pw_passwd, "*"))) {
			printf("Sorry, you are not allowed to use axmail (you have a password set).\n");
			return -1;
		}
		
		if ((mail_allowed == 2) && (!strcmp(pw->pw_passwd, "*"))) {
			printf("Sorry, you are not allowed to use axmail (locked out in password file).\n");
			return -1;
		}
		if (mail_allowed == 3) {
			sprintf(axhome, "%s/%s", def_homedir, username);
			if (strcmp(pw->pw_dir, axhome)) {
				printf("Sorry, you are not allowed to use axmail - bad axhome.\n");
				return -1;
			}
		}
		
		if (identification == 1) {
			getstr(pass, 12, "Password: ");
			strncpy(salt, pw->pw_passwd, 2);
			salt[2] = '\0';
			if (strcmp(pw->pw_passwd, (char *)crypt(pass, salt))) {
				printf("Login incorrect.\n");
				return -1;
			}
		}

/* code supplied by Jaroslav Skarvada */
		if ( (setgroups(0, NULL) == -1) || (setgid(pw->pw_gid) == -1) || (setuid(pw->pw_uid) == -1) )
			panic("init_user: Argh, cannot setuid() or setgid() to %i.%i", pw->pw_uid, pw->pw_gid);
	}
	
	homedir = strdup(pw->pw_dir);
	return 0;
}

int main(int argc, char **argv)
{
	char *p;

	signal(SIGALRM, alarm_handler);
	signal(SIGTERM, term_handler);
        openlog("axmail", LOG_PID, LOG_DAEMON);

	if (getuid() != 0)
		local = 1;	/* Hey, we're being executed by a "normal"
				 * user, with user privileges!  

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.