nufw and sasl_decode64
Pierre Chifflier
p.chifflier at inl.fr
Tue Feb 19 16:00:09 UTC 2008
On Tue, Feb 19, 2008 at 02:00:18PM +0200, Fabian Fagerholm wrote:
> Hello Pierre,
>
> This message is being resent just in case you didn't receive it the last
> time. We are about to proceed with the plan outlined below and would
> appreciate your comments!
>
> Your Debian package nufw uses the sasl_decode64 function, which is
> part of libsasl2. In etch, the Cyrus SASL packaging team included a
> patch that allows base64 input data to be terminated by CR, LF, or CRLF.
> This is against RFC 4648, which defines base64. Upstream fixed their
> code to be RFC-compliant but since some applications incorrectly assume
> the old behaviour, and since it was very late in the etch release cycle,
> we decided to err on the side of caution and not risk breakage in
> applications using Cyrus SASL.
Hi Fabian,
I reply to your mail, to confirm that I have received the mail and will
work on the problem.
I'm currently quite busy, but intend to work on the problem before the
end of the week. I'll reply to this mail as soon as I have new
information.
Regards,
Pierre
>
> We would like to be RFC compliant and follow our upstream as close as
> possible, and we are therefore preparing to drop the patch in the near
> future. This means that some applications could stop working because
> they don't properly sanitise base64 data before passing it to
> sasl_decode64, resulting in an error. Proper sanitation means removing
> trailing CR/LF/CRLF from strings passed to sasl_decode64, if there is a
> possibility that there will be such trailing garbage in the base64 data.
>
> If you suspect that your package doesn't properly sanitise base64 data,
> please take it up with your upstream and get the issue fixed. We will
> try to help you in any way we can, but we rely on your expertise of your
> own package and your ability to judge the gravity of this issue for your
> users.
>
> We would appreciate a note from you, giving your input on the issue --
> if you foresee any problems, if you know your package already properly
> sanitises base64 data, if you already know when you would be able to
> apply a fix, and so on. We will try to confirm as many packages as
> possible before removing the patch, but we will also not wait
> indefinitely, as this change needs to get proper field testing and we
> are targeting the lenny release.
>
> References: Debian bugs #431191 and #400955,
> nufw-2.2.2/src/nuauth/gcrypt.c
> nufw-2.2.2/src/nuauth/user_authsrv.c
> nufw-2.2.2/src/nuauth/sasl.c
> nufw-2.2.2/src/clients/lib/internal.c
>
> Thanks for your cooperation,
> --
> Fabian Fagerholm <fabbe at paniq.net>
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list