Date: Mon, 22 Aug 2016 14:15:06 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Werner Koch <wk@...pg.org>, Pascal Cuoq <cuoq@...st-in-soft.com>, Rapha??l Rieu-Helft <raphael.rieu-helft@...st-in-soft.com> Subject: Re: memory issues in libksba 1.3.4 and git Hi, I thought I had fixed that ezmlm-idx incompatibility with Werner's setup of Gnus, but it seems not - perhaps it's not exactly that same old bug, even if very similar: http://www.openwall.com/lists/oss-security/2016/08/18/20 In those old bug reports, it was about MIME sections completely lacking headers. In Werner's messages, the MIME section has only the Content-Transfer-Encoding header, but not a Content-Type header. Also, Werner's latest message appears to have an invalid boundary string. (The previous message for which corruption occurred had a valid boundary string, even if unusual. These unusual boundary strings might or might not be relevant to the problem.) Specifically: --=SRI-target-ANDVT-Freeh-anthrax-[Hello-to-all-my-friends-and-fans-in= The "[" character isn't in the allowed set per RFC 2046: boundary := 0*69<bchars> bcharsnospace bchars := bcharsnospace / " " bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?" Unfortunately, the message corruption occurs post moderator approval, so I couldn't easily see whether it occurred this time or not without approving the message first. I guess I'd need to debug it on a test list, re-injecting Werner's message on my own, but I don't currently have time for that. I'll include Werner's original message below. Werner, maybe you could try this old workaround for next time you post? - (setq mml-insert-mime-headers-always t) Thanks, and sorry, and yes this is pretty ridiculous. Alexander On Mon, Aug 22, 2016 at 12:11:47PM +0200, Werner Koch wrote: > On Sat, 20 Aug 2016 16:06, cuoq@...st-in-soft.com said: > > > These inputs have been set to Werner Koch, privately as per his > > request, on May 25, June 11 and July 11. I am publishing them now so > > I am sorry about the delays. I asked Pascal to discuss this privately > for the simple matter that I would anyway be the one to fix the things. > In the future I will take care to CC my co-hackers on such private mails > so they can jump in or remind me of such delays. > > > that anyone who uses or might want to use libksba to parse messages > > (received pre-authentification by definition) can make an informed > > choice considering the risks of denial of service and information > > I just release libksba 1.3.5 which limits the allocation to a 16 MiB > which is the best solution I could come up with. Note that this parser > is only used for smallish ASN.1 objects like certificates or small parts > of of larger ASN.1 objects (like CRLs). > > Thanks to Pascal for looking at Libksba. > > > Shalom-Salam, > > Werner
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ