Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Aug 2016 14:15:06 +0300
From: Solar Designer <>
Cc: Werner Koch <>, Pascal Cuoq <>,
	Rapha??l Rieu-Helft <>
Subject: Re: memory issues in libksba 1.3.4 and git


I thought I had fixed that ezmlm-idx incompatibility with Werner's setup
of Gnus, but it seems not - perhaps it's not exactly that same old bug,
even if very similar:

In those old bug reports, it was about MIME sections completely lacking
headers.  In Werner's messages, the MIME section has only the
Content-Transfer-Encoding header, but not a Content-Type header.

Also, Werner's latest message appears to have an invalid boundary
string.  (The previous message for which corruption occurred had a
valid boundary string, even if unusual.  These unusual boundary strings
might or might not be relevant to the problem.)  Specifically:


The "[" character isn't in the allowed set per RFC 2046:

     boundary := 0*69<bchars> bcharsnospace

     bchars := bcharsnospace / " "

     bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" /
                      "+" / "_" / "," / "-" / "." /
                      "/" / ":" / "=" / "?"

Unfortunately, the message corruption occurs post moderator approval, so
I couldn't easily see whether it occurred this time or not without
approving the message first.  I guess I'd need to debug it on a test
list, re-injecting Werner's message on my own, but I don't currently
have time for that.  I'll include Werner's original message below.

Werner, maybe you could try this old workaround for next time you post? -

  (setq mml-insert-mime-headers-always t)

Thanks, and sorry, and yes this is pretty ridiculous.


On Mon, Aug 22, 2016 at 12:11:47PM +0200, Werner Koch wrote:
> On Sat, 20 Aug 2016 16:06, said:
> > These inputs have been set to Werner Koch, privately as per his
> > request, on May 25, June 11 and July 11. I am publishing them now so
> I am sorry about the delays.  I asked Pascal to discuss this privately
> for the simple matter that I would anyway be the one to fix the things.
> In the future I will take care to CC my co-hackers on such private mails
> so they can jump in or remind me of such delays.
> > that anyone who uses or might want to use libksba to parse messages
> > (received pre-authentification by definition) can make an informed
> > choice considering the risks of denial of service and information
> I just release libksba 1.3.5 which limits the allocation to a 16 MiB
> which is the best solution I could come up with.  Note that this parser
> is only used for smallish ASN.1 objects like certificates or small parts
> of of larger ASN.1 objects (like CRLs).
> Thanks to Pascal for looking at Libksba.
> Shalom-Salam,
>    Werner

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ