Bug#431191: cyrus-sasl2: don't allow trailing CR/LF/CRLF in base64 data
Fabian Fagerholm
fabbe at paniq.net
Sat Jun 30 14:42:55 UTC 2007
Package: cyrus-sasl2
Version: 2.1.22.dfsg1-6
Severity: minor
Debian bug #400955 was resolved by Debian patch
0015_saslutil_decode64_fix, which allows base64 input data to be
terminated by CR, LF, or CRLF. This is against RFC 4648, which defines
base64. Upstream fixed their code to be RFC-compliant but since some
applications incorrectly assume the old behaviour, and since it was very
late in the etch release cycle, we decided to err on the side of caution
and not risk breakage in applications using Cyrus SASL.
However, we now have the opportunity to reduce the number of patches in
the Debian version of Cyrus SASL, and to find packages that do not
properly sanitize their base64 data before passing it to libsasl2.
This bug tracks the progress of removing the patch and fixing the
packages which depend on this incorrect behaviour.
A possible workflow is the following:
1. List packages in Debian that have code calling sasl_decode64. For
each such package:
2. Determine if it sanitizes its data before passing it to sasl_decode64.
3. If not, submit a bug against the package, preferably with a patch.
4. When enough packages have been checked, remove the patch.
5. Be alert and help other maintainers to fix their packages.
--
Fabian Fagerholm <fabbe at paniq.net>
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list