Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160822111506.GA4403@openwall.com>
Date: Mon, 22 Aug 2016 14:15:06 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Werner Koch <wk@...pg.org>, Pascal Cuoq <cuoq@...st-in-soft.com>,
	Rapha??l Rieu-Helft <raphael.rieu-helft@...st-in-soft.com>
Subject: Re: memory issues in libksba 1.3.4 and git

Hi,

I thought I had fixed that ezmlm-idx incompatibility with Werner's setup
of Gnus, but it seems not - perhaps it's not exactly that same old bug,
even if very similar:

http://www.openwall.com/lists/oss-security/2016/08/18/20

In those old bug reports, it was about MIME sections completely lacking
headers.  In Werner's messages, the MIME section has only the
Content-Transfer-Encoding header, but not a Content-Type header.

Also, Werner's latest message appears to have an invalid boundary
string.  (The previous message for which corruption occurred had a
valid boundary string, even if unusual.  These unusual boundary strings
might or might not be relevant to the problem.)  Specifically:

--=SRI-target-ANDVT-Freeh-anthrax-[Hello-to-all-my-friends-and-fans-in=

The "[" character isn't in the allowed set per RFC 2046:

     boundary := 0*69<bchars> bcharsnospace

     bchars := bcharsnospace / " "

     bcharsnospace := DIGIT / ALPHA / "'" / "(" / ")" /
                      "+" / "_" / "," / "-" / "." /
                      "/" / ":" / "=" / "?"

Unfortunately, the message corruption occurs post moderator approval, so
I couldn't easily see whether it occurred this time or not without
approving the message first.  I guess I'd need to debug it on a test
list, re-injecting Werner's message on my own, but I don't currently
have time for that.  I'll include Werner's original message below.

Werner, maybe you could try this old workaround for next time you post? -

  (setq mml-insert-mime-headers-always t)

Thanks, and sorry, and yes this is pretty ridiculous.

Alexander

On Mon, Aug 22, 2016 at 12:11:47PM +0200, Werner Koch wrote:
> On Sat, 20 Aug 2016 16:06, cuoq@...st-in-soft.com said:
> 
> > These inputs have been set to Werner Koch, privately as per his
> > request, on May 25, June 11 and July 11. I am publishing them now so
> 
> I am sorry about the delays.  I asked Pascal to discuss this privately
> for the simple matter that I would anyway be the one to fix the things.
> In the future I will take care to CC my co-hackers on such private mails
> so they can jump in or remind me of such delays.
> 
> > that anyone who uses or might want to use libksba to parse messages
> > (received pre-authentification by definition) can make an informed
> > choice considering the risks of denial of service and information
> 
> I just release libksba 1.3.5 which limits the allocation to a 16 MiB
> which is the best solution I could come up with.  Note that this parser
> is only used for smallish ASN.1 objects like certificates or small parts
> of of larger ASN.1 objects (like CRLs).
> 
> Thanks to Pascal for looking at Libksba.
> 
> 
> Shalom-Salam,
> 
>    Werner

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.