postfix and sasl_decode64

Fabian Fagerholm fabbe at paniq.net
Fri Jul 13 13:18:25 UTC 2007


Hello Lamont,

Your Debian package postfix uses the sasl_decode64 function, which is
part of libsasl2. In etch, the Cyrus SASL packaging team included a
patch that allows base64 input data to be terminated by CR, LF, or CRLF.
This is against RFC 4648, which defines base64. Upstream fixed their
code to be RFC-compliant but since some applications incorrectly assume
the old behaviour, and since it was very late in the etch release cycle,
we decided to err on the side of caution and not risk breakage in
applications using Cyrus SASL.

We would like to be RFC compliant and follow our upstream as close as
possible, and we are therefore preparing to drop the patch in the near
future. This means that some applications could stop working because
they don't properly sanitise base64 data before passing it to
sasl_decode64, resulting in an error. Proper sanitation means removing
trailing CR/LF/CRLF from strings passed to sasl_decode64, if there is a
possibility that there will be such trailing garbage in the base64 data.

If you suspect that your package doesn't properly sanitise base64 data,
please take it up with your upstream and get the issue fixed. We will
try to help you in any way we can, but we rely on your expertise of your
own package and your ability to judge the gravity of this issue for your
users.

We would appreciate a note from you, giving your input on the issue --
if you foresee any problems, if you know your package already properly
sanitises base64 data, if you already know when you would be able to
apply a fix, and so on. We will try to confirm as many packages as
possible before removing the patch, but we will also not wait
indefinitely, as this change needs to get proper field testing and we
are targeting the lenny release.

References: Debian bugs #431191 and #400955,
postfix-2.4.3/src/xsasl/xsasl_cyrus_client.c
postfix-2.4.3/src/xsasl/xsasl_cyrus_server.c

Thanks for your cooperation,
-- 
Fabian Fagerholm <fabbe at paniq.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20070713/cae74cf5/attachment.pgp 


More information about the Pkg-cyrus-sasl2-debian-devel mailing list