Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp141022lqm;
        Tue, 30 Apr 2024 15:59:09 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXxOW0Y3+d7i47h+1zxwBoKV1hvoR4QDEYWpK8jgE1Is9GcTKLT42PKuqBorfXrE4QFNtMhZHf5nc+04YSExlqNQ26veKQ3lFLD6z6+fQ==
X-Google-Smtp-Source: AGHT+IHk8F7Fc5ovskRtD4euTx65yZ/43QCEICv3197Ci34RgeX1lUdqBmxriG3AhwRJoXAMyaMr
X-Received: by 2002:a17:906:28d9:b0:a51:fef6:b7d6 with SMTP id p25-20020a17090628d900b00a51fef6b7d6mr726834ejd.19.1714517948846;
        Tue, 30 Apr 2024 15:59:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1714517948; cv=none;
        d=google.com; s=arc-20160816;
        b=i8JPNH6v60jjX9Fx502HdmSxZDjdOqlTGm8VCMPmkxWSOwmI3EO1TyilQXlNQUZLWv
         BxNWAEI/Q108oKJvDzys8CnaYpQCOtHuFCfBMYoOsi9Sm4r7iLjoXmqP2Umy4E+sweGv
         Yy7RFqqRWe8uo9YiTVVzrL3C+HklmzjWmoZaypGbpokWiFlZzYCrjf5TY27GB+BtPV2X
         aAmmPwjRYOhEGBwj73uYnhGFS7jKNv6DQW4M5VfSeza9vPIM5ovKnlzgIy6VLrnITt7x
         tNUZEmsWjsvYubMwqdatLRezuGCQZH28Usi2hQn1SfriGxlOH4Rl/sTuMBtGSOCwZ+y3
         X/mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:blahblahblah:openpgp:user-agent:mail-followup-to:references
         :in-reply-to:message-id:to:from:author:date:dkim-signature
         :dkim-signature:delivered-to:delivered-to:reply-to:list-id
         :list-subscribe:list-unsubscribe:list-help:list-post:precedence
         :mailing-list;
        bh=dQ+UVcUlMv1k56nNV+5nXqX/QqDE1+lOvD9d0Rc5cmQ=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=MBI+SP7EmdV6YFS/KJP/nYwokAIhvHlvtgkGUAMg5sPpPqg091ESib6WUksTLO1LSH
         ehUFauGI+zdpB26iY2/Ecmab4FZ5ixu+ysrkaPqpbvHRKHj/1lG871UtEpIdP/JPkaV5
         i+qQQTTblAh1gw6ZjVUpvDgeitNyXvHTDuWr3CXNYE5t5OXtamz2TRPyAk2/z5v1hVVr
         KAq/dgsRReYUfyI7KPuT0UJMr5Ee9B/mxB3B1KgSFcyw1BNhaAQY32eA9Rg/03ny6ELh
         rvKa+GqVf6DbY3OimBUxNAaqNs+jmc4Gv4ecD3f+Gg7WyPApdrPBkfcLFSvbdRdvQJLt
         lA1A==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sdaoden.eu header.s=citron header.b=VTLDxeWn;
       dkim=neutral (no key) header.i=@sdaoden.eu header.s=orange;
       spf=pass (google.com: domain of oss-security-return-30105-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30105-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30105-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id m27-20020a170906259b00b00a55bd8ec4f5si10394738ejb.745.2024.04.30.15.59.08
        for <linux.lists.archive@gmail.com>;
        Tue, 30 Apr 2024 15:59:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30105-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sdaoden.eu header.s=citron header.b=VTLDxeWn;
       dkim=neutral (no key) header.i=@sdaoden.eu header.s=orange;
       spf=pass (google.com: domain of oss-security-return-30105-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30105-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 3412 invoked by uid 550); 30 Apr 2024 22:58:50 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 12083 invoked from network); 30 Apr 2024 22:48:32 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sdaoden.eu;
 s=citron; t=1714517305; x=1715183971; h=date:author:from:to:subject:
  message-id:in-reply-to:references:mail-followup-to:openpgp:blahblahblah:
  author:from:subject:date:to:cc:resent-date:resent-from:resent-to:
  resent-cc:in-reply-to:references:mime-version:content-type:
  content-transfer-encoding:message-id:mail-followup-to:openpgp:
  blahblahblah; bh=dQ+UVcUlMv1k56nNV+5nXqX/QqDE1+lOvD9d0Rc5cmQ=;
 b=VTLDxeWnxH20Ho6HffH61SeWRJA0F6Jf40xP7A4kJGeNKyRw6enBU7SzYYRlqX/HFI7Y7TFi
  0sw/ybeAEAHJ8C/bEzvFp86WAEtD8iiZY2t4iJMOyi/lCkZYfiDP5zj2wOGdoUVEI4xCHbzFEY
  voTcbzKl09RvLDWhW+6isWDg/Ht460VqoApPWGsDWll1JGxuWoLwK5jqZjNWwnx2D/MJmW0Kld
  6Rml2006M5qKlYB+F9cnGfuFqnkRo1FrgcJ2nFsnY8/qO6hQJsiFstkwCvQeBBjyfM7TF4bT7t
  lLXMvX6YChF8pJRFkl/p1sicxx3ie4zC6jL3exsu7rXl9mkw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=sdaoden.eu;
 s=orange; t=1714517305; x=1715183971; h=date:author:from:to:subject:
  message-id:in-reply-to:references:mail-followup-to:openpgp:blahblahblah:
  author:from:subject:date:to:cc:resent-date:resent-from:resent-to:
  resent-cc:in-reply-to:references:mime-version:content-type:
  content-transfer-encoding:message-id:mail-followup-to:openpgp:
  blahblahblah; bh=dQ+UVcUlMv1k56nNV+5nXqX/QqDE1+lOvD9d0Rc5cmQ=;
 b=NkfV4PdHObdzPlEqGxnxYAan7KYJAJzOJDSPgc/yUVTLY09VkeIsSDyPgqBPx6Rs9eekrNu0
  qXXRb1OWRPvKBw==
Date: Wed, 01 May 2024 00:48:23 +0200
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: oss-security@lists.openwall.com
Message-ID: <20240430224823.uA8Nr1Cp@steffen%sdaoden.eu>
In-Reply-To: <ZjBHOEHylGAaIo57@moon>
References: <20231221143630.GD14101@suse.de> <ZjBHOEHylGAaIo57@moon>
Mail-Followup-To: oss-security@lists.openwall.com
User-Agent: s-nail v14.9.24-621-g0d1e55f367
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD;
 url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in
 the world can make no bugs.
Subject: Re: [oss-security] New SMTP smuggling attack

Mark Esler wrote in
 <ZjBHOEHylGAaIo57@moon>:
 |To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
 |should comply with RFC 5321 section 4.1.1.4 [0] to strip control
 |characters other than <SP>, <HT>, <CR>, and <LF> in the DATA section of
 |SMTP messages.

Given that RFC 733 is from 1977 and RFC 822 is from 1982 i feel
this entire thread is exaggerating.

The smuggling problem solely was rooted in the LF / CRLF "wars"
from at minimum the early 70s (Unix and more), with terminal
drivers doing auto-translation on-the-fly etc etc etc.
The internet history list may be worthwhile for this, or examining
the history of Unix programs.  Ie, in January i also (funny)
talked to John Klensin on an IETF list saying

  [.]The CR/LF "problem" seems to have been "addressed" in
  UNIX as early as 1972, ie "6/12/72 STTY (II)" gives

    020  map CR into LF; echo LF or CR as LF-CR
    ...
    Mode 020 causes input carriage returns to be turned into new-lines;
    input of either CR or LF causes LF-CR both to be echoed
    (used for GE TermiNet 300's and other terminals without the
    newline function).

  In 1974 it became

    -nl allow carriage return for new-line,
        and output CR-LF for carriage return or new-line
    nl  accept only new-line to end lines

  Which makes me *think* that "Houston, we have a problem" was
  ACKnowledged, and in order not to be a crook something would have
  been done about it, saving even a byte per line.  But i do not
  know, this was all military and other high sphere academics by
  then.  Interesting, by the way, that "so many" expensive decisions
  were deemed necessary[.]

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)