Date: Mon, 22 Aug 2016 14:15:06 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Werner Koch <wk@...pg.org>, Pascal Cuoq <cuoq@...st-in-soft.com>, Rapha??l Rieu-Helft <raphael.rieu-helft@...st-in-soft.com> Subject: Re: memory issues in libksba 1.3.4 and git Hi, I thought I had fixed that ezmlm-idx incompatibility with Werner's setup of Gnus, but it seems not - perhaps it's not exactly that same old bug, even if very similar: http://www.openwall.com/lists/oss-security/2016/08/18/20 In those old bug reports, it was about MIME sections completely lacking headers. In Werner's messages, the MIME section has only the Content-Transfer-Encoding header, but not a Content-Type header. Also, Werner's latest message appears to have an invalid boundary string. (The previous message for which corruption occurred had a valid boundary string, even if unusual. These unusual boundary strings might or might not be relevant to the problem.) Specifically: --=SRI-target-ANDVT-Freeh-anthrax-[Hello-to-all-my-friends-and-fans-in= The "[" character isn't in the allowed set per RFC 2046: boundary := 0*69<bchars> bcharsnospace bchars := bcharsnospace / " " bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" / "+" / "_" / "," / "-" / "." / "/" / ":" / "=" / "?" Unfortunately, the message corruption occurs post moderator approval, so I couldn't easily see whether it occurred this time or not without approving the message first. I guess I'd need to debug it on a test list, re-injecting Werner's message on my own, but I don't currently have time for that. I'll include Werner's original message below. Werner, maybe you could try this old workaround for next time you post? - (setq mml-insert-mime-headers-always t) Thanks, and sorry, and yes this is pretty ridiculous. Alexander On Mon, Aug 22, 2016 at 12:11:47PM +0200, Werner Koch wrote: > On Sat, 20 Aug 2016 16:06, cuoq@...st-in-soft.com said: > > > These inputs have been set to Werner Koch, privately as per his > > request, on May 25, June 11 and July 11. I am publishing them now so > > I am sorry about the delays. I asked Pascal to discuss this privately > for the simple matter that I would anyway be the one to fix the things. > In the future I will take care to CC my co-hackers on such private mails > so they can jump in or remind me of such delays. > > > that anyone who uses or might want to use libksba to parse messages > > (received pre-authentification by definition) can make an informed > > choice considering the risks of denial of service and information > > I just release libksba 1.3.5 which limits the allocation to a 16 MiB > which is the best solution I could come up with. Note that this parser > is only used for smallish ASN.1 objects like certificates or small parts > of of larger ASN.1 objects (like CRLs). > > Thanks to Pascal for looking at Libksba. > > > Shalom-Salam, > > Werner
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.