Debian Bug report logs - #544018
ssmtp.conf ignore the AuthPass parameter if the password contain a '#' character.

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon Valiquette <v.simon@ieee.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ssmtp.conf ignore the AuthPass parameter if the password contain a '#' character.

Date: Fri, 28 Aug 2009 03:58:44 -0400

Package: ssmtp
Version: 2.62-3
Severity: normal


If the '#' character appear anywhere in your password, and that you
put it in the /etc/ssmtp/ssmtp.conf file using the AuthPass option,
an empty password will be sent instead and the authentication will
fails with a message such as:

535 5.7.0 Error: authentication failed: authentication failure
sendmail: Authorization failed (535 5.7.0 Error: authentication failed: authentication failure)


But if you pass the exact same password using directly
"sendmail -v -ap my#password", then it will works as expected.

At first, I tought that maybe I had to escape it like this: \#,
but after some more investigations I realized that whenever a password
contain a '#', only 2 bytes are returned to the mailhub.

Those 2 bytes are likely a carriage return, but I was too lazy to check.


My guess is that if a '#' character appear anywhere on a line, then the
full line is considered as a comment. To test this idea, I used a username
such as AuthUser=some#User and as expected, the username is never sent to
the mailhub.


This affect both Lenny and Etch, and the latest version in Squeeze (2.63-1)
is probably affected as well.


Here is basically the config file I used:


# /etc/ssmtp/ssmtp.conf
root=postmaster

mailhub=your.smtp.server.tld

hostname=whatever.tld
UseTLS=YES
UseSTARTTLS=YES

FromLineOverride=YES

AuthUser=someUser
AuthPass=my#password


Thank you,

Simon Valiquette


-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Message #10 received at 544018@bugs.debian.org (full text, mbox, reply):

From: Kerin Millar <kerframil@gmail.com>

To: 544018@bugs.debian.org

Subject: Re: ssmtp.conf ignore the AuthPass parameter if the password contain a '#' character.

Date: Sat, 4 Dec 2010 12:16:45 +0000

This bug was also reported via the bug tracking system of Gentoo Linux
by David Shen. In doing so, he also contributed a patch which has not
yet been reviewed. Perhaps Anibal would be so kind as to review it?

http://bugs.gentoo.org/show_bug.cgi?id=258018
http://bugs.gentoo.org/attachment.cgi?id=242899

Message #15 received at 544018@bugs.debian.org (full text, mbox, reply):

From: Kerin Millar <kerframil@gmail.com>

To: 544018@bugs.debian.org

Subject: Re: ssmtp.conf ignore the AuthPass parameter if the password contain a '#' character.

Date: Sat, 4 Dec 2010 12:37:03 +0000

I should also add that another bug was filed downstream, reporting a
segfault in the event that the password contains a '# character.
Curiously, it doesn't seem to happen to everyone; for instance, David
Shen did not allude to a segfault (merely an authentication failure).
Here's a backtrace, courtesy of Joel Koglin:

gdb backtrace:

Thread 1 (Thread 0xb73758f0 (LWP 14276)):
#0  0x0804bd62 in ssmtp (argv=0x804f1e0) at ssmtp.c:1536
        buf = '\000' <repeats 2048 times>
        p = <value optimized out>
        q = <value optimized out>
        pw = 0xb7729c20
        sock = 5
        uid = 0
        minus_v_save = <value optimized out>
        timeout = <value optimized out>
#1  0x0804c4ff in main (argc=2, argv=0xbfd5d924) at ssmtp.c:2070
        new_argv = 0x0

Original report here: http://bugs.gentoo.org/show_bug.cgi?id=313017

Message #20 received at 544018@bugs.debian.org (full text, mbox, reply):

From: Cybertinus <debian@cybertinus.nl>

To: Debian Bug Tracking System <544018@bugs.debian.org>

Subject: ssmtp: Also exists in 2.64

Date: Sun, 22 Jul 2012 20:02:28 +0200

Package: ssmtp
Version: 2.64-4
Severity: normal

Hello,

This problem still exists in version 2.64 of ssmtp. I hit this problem on my Gentoo box this week.
I also created a patch for this problem. I will attach it (probably later on in this reportbug program :) )

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ssmtp depends on:
ii  debconf [debconf-2.0]   1.5.36.1         Debian configuration management sy
ii  libc6                   2.11.3-3         Embedded GNU C Library: Shared lib
ii  libgnutls26             2.8.6-1+squeeze2 the GNU TLS library - runtime libr

ssmtp recommends no packages.

ssmtp suggests no packages.

-- debconf information excluded

Message #25 received at 544018@bugs.debian.org (full text, mbox, reply):

From: Cybertinus <debian@cybertinus.nl>

To: 544018@bugs.debian.org

Subject: Patch for 2.64

Date: Sun, 22 Jul 2012 20:19:09 +0200

[Message part 1 (text/plain, inline)]

Hello,

Well, the reportbug program didn't ask for any file that I wanted to send, so 
I'm sending an e-mail directly with my e-mail program. The promised patch is 
attached.

Regards,
Cybertinus

[fixHashSignParsing.patch (text/x-patch, attachment)]

Message #30 received at 544018@bugs.debian.org (full text, mbox, reply):

From: Tijn Buijs <tijnbuijs@cybertinus.nl>

To: 544018@bugs.debian.org

Subject: Bug also exists in Wheezy

Date: Sun, 22 Jul 2012 21:09:34 +0200

Hello,

I've updated my Debian install to Wheezy, just to be sure that the problem still 
exists everywhere. And it still did. Then I downloaded the sourcecode of the 
version that is in Wheezy (2.64-7) and applied my patch to it. And then the 
problem was gone :).

Is it still possible to have this fixed for the Wheezy release? Or does the 
freeze prevent that? Or is the freeze just in place to fix bugs like this?

Well, I'll just see if this is fixed in Wheezy and if it flows down to other 
distro's like Gentoo :).

Best regards,
Cybertinus

Message #35 received at 544018@bugs.debian.org (full text, mbox, reply):

From: Cybertinus <debian@cybertinus.nl>

To: 544018@bugs.debian.org

Subject: Bug also exists in Wheezy

Date: Sun, 22 Jul 2012 21:21:44 +0200

Hello,

I've updated my Debian install to Wheezy, just to be sure that the problem still 
exists everywhere. And it still did. Then I downloaded the sourcecode of the 
version that is in Wheezy (2.64-7) and applied my patch to it. And then the 
problem was gone :).

Is it still possible to have this fixed for the Wheezy release? Or does the 
freeze prevent that? Or is the freeze just in place to fix bugs like this?

Well, I'll just see if this is fixed in Wheezy and if it flows down to other 
distro's like Gentoo :).

Best regards,
Cybertinus

Message #40 received at 544018@bugs.debian.org (full text, mbox, reply):

From: jamieous@jamieousbyphotography.com

To: 544018@bugs.debian.org

Subject: Notification status of your delivery (UPS 002960576)

Date: Wed, 8 Mar 2017 05:16:12 +0300

[Message part 1 (text/plain, inline)]

Dear Customer,

Your item has arrived at March 07, but our courier was not able to deliver the parcel.

Postal label is enclosed to this e-mail. Please check the attachment!

Warm regards,
Roger Small,
UPS Parcels Delivery Manager.

[UPS-Receipt-002960576.zip (application/zip, attachment)]

Message #45 received at 544018@bugs.debian.org (full text, mbox, reply):

From: "edmarcos.souza" <edmarcos.souza@gmail.com>

To: 544018@bugs.debian.org

Subject: ssmtp.conf ignore the AuthPass #

Date: Sat, 13 Jan 2018 16:55:36 -0200

[Message part 1 (text/plain, inline)]

Try to apply fix for this example:

https://svnweb.freebsd.org/ports?view=revision&revision=454801

[Message part 2 (text/html, inline)]

Message #50 received at 544018@bugs.debian.org (full text, mbox, reply):

From: "rollopack@gmail.com" <rollopack@gmail.com>

To: 544018@bugs.debian.org

Subject: Re: ssmtp.conf ignore the AuthPass parameter if the password contain a '#' character.

Date: Wed, 9 Jan 2019 09:00:08 +0100

Same problem here.
Is it possible to have this fixed?

Message #55 received at 544018@bugs.debian.org (full text, mbox, reply):

From: Jonathan Krebs <jonathan.krebs@bruckbu.de>

To: 544018@bugs.debian.org

Subject: Minimal fix (actually implement what the documentation says :) )

Date: Fri, 25 Feb 2022 01:26:44 +0100

[Message part 1 (text/plain, inline)]

The manpage states "Lines starting with ‘#’ and empty lines are interpreted as comments."
So comments should not start in the middle of a word / line.

attached is a minimal patch.

(the freebsd patch also works and cleans a lot, but IMHO the (char)NULL should be patched separately and their pointer arithmetic is weird and unneeded)

[544018-config-comments-start-of-line-only.patch (text/x-patch, attachment)]

[OpenPGP_signature (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.