Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2016 14:15:06 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Werner Koch <wk@...pg.org>, Pascal Cuoq <cuoq@...st-in-soft.com>,
	Rapha??l Rieu-Helft <raphael.rieu-helft@...st-in-soft.com>
Subject: Re: memory issues in libksba 1.3.4 and git

Hi,

I thought I had fixed that ezmlm-idx incompatibility with Werner's setup
of Gnus, but it seems not - perhaps it's not exactly that same old bug,
even if very similar:

http://www.openwall.com/lists/oss-security/2016/08/18/20

In those old bug reports, it was about MIME sections completely lacking
headers.  In Werner's messages, the MIME section has only the
Content-Transfer-Encoding header, but not a Content-Type header.

Also, Werner's latest message appears to have an invalid boundary
string.  (The previous message for which corruption occurred had a
valid boundary string, even if unusual.  These unusual boundary strings
might or might not be relevant to the problem.)  Specifically:

--=SRI-target-ANDVT-Freeh-anthrax-[Hello-to-all-my-friends-and-fans-in=

The "[" character isn't in the allowed set per RFC 2046:

     boundary := 0*69<bchars> bcharsnospace

     bchars := bcharsnospace / " "

     bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" /
                      "+" / "_" / "," / "-" / "." /
                      "/" / ":" / "=" / "?"

Unfortunately, the message corruption occurs post moderator approval, so
I couldn't easily see whether it occurred this time or not without
approving the message first.  I guess I'd need to debug it on a test
list, re-injecting Werner's message on my own, but I don't currently
have time for that.  I'll include Werner's original message below.

Werner, maybe you could try this old workaround for next time you post? -

  (setq mml-insert-mime-headers-always t)

Thanks, and sorry, and yes this is pretty ridiculous.

Alexander

On Mon, Aug 22, 2016 at 12:11:47PM +0200, Werner Koch wrote:
> On Sat, 20 Aug 2016 16:06, cuoq@...st-in-soft.com said:
> 
> > These inputs have been set to Werner Koch, privately as per his
> > request, on May 25, June 11 and July 11. I am publishing them now so
> 
> I am sorry about the delays.  I asked Pascal to discuss this privately
> for the simple matter that I would anyway be the one to fix the things.
> In the future I will take care to CC my co-hackers on such private mails
> so they can jump in or remind me of such delays.
> 
> > that anyone who uses or might want to use libksba to parse messages
> > (received pre-authentification by definition) can make an informed
> > choice considering the risks of denial of service and information
> 
> I just release libksba 1.3.5 which limits the allocation to a 16 MiB
> which is the best solution I could come up with.  Note that this parser
> is only used for smallish ASN.1 objects like certificates or small parts
> of of larger ASN.1 objects (like CRLs).
> 
> Thanks to Pascal for looking at Libksba.
> 
> 
> Shalom-Salam,
> 
>    Werner

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ