From 834c5a2ed0479e51e8662a31caed129f136f4805 Mon Sep 17 00:00:00 2001 From: "Kevin J. McCarthy" Date: Sat, 18 Apr 2026 22:08:19 +0800 Subject: [PATCH] Fix IMAP auth_cram MD5 digest of secret to use memcpy(). For a secret longer than MD5_BLOCK_LEN, an MD5 digest is used instead. However, mutt was incorrectly using strfcpy() instead of memcpy() on the raw binary value returned by md5_buffer in hash_passwd. If hash_passwd contained an '\0' it would result in the value being truncated. Additionally, the strfcpy was truncating the hash_passwd by one byte regardless, due to passing a "size" of MD5_DIGEST_LEN when the data itself was length MD5_DIGEST_LEN. This likely hasn't been a reported issue because: 1. CRAM-MD5 is not used much anymore 2. Most people likely don't have a password length greater than 64 bytes. Thanks to evilrabbit@tutamail.com for the security report. --- imap/auth_cram.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/imap/auth_cram.c b/imap/auth_cram.c index 6080ea47..6a265de6 100644 --- a/imap/auth_cram.c +++ b/imap/auth_cram.c @@ -149,7 +149,7 @@ static void hmac_md5 (const char* password, char* challenge, if (secret_len > MD5_BLOCK_LEN) { md5_buffer (password, secret_len, hash_passwd); - strfcpy ((char*) secret, (char*) hash_passwd, MD5_DIGEST_LEN); + memcpy(secret, hash_passwd, MD5_DIGEST_LEN); secret_len = MD5_DIGEST_LEN; } else