On 02/12/2024 21:11, Jeffrey Walton wrote:
It turns out that Base64 is malleable. All tools do not produce the
same results. Also see <https://eprint.iacr.org/2022/361>.
Whether Base64 malleability leads to a vulnerability is another question.
This might be an issue for non canonicity, particularly with signed checksum
files,
but it shouldn't introduce a vulnerability.
In any case the malleability should be somewhat addressed in the GNU versions
at least with:
https://github.com/coreutils/gnulib/commit/3f463202bd
cheers,
Pádraig
