Hello, * Andrey Melnikov [2006-03-06]: [...] > Attached patch fix this problem.
Thanks for the patch. There is however one problem : the original code
strips trailing bytes after a colon in the key material, for example
from :
sha1:K4rkWRjRcXmIzvK51ArAP:Jy
only "K4rkWRjRcXmIzvK51ArAP" is used as key material. From the IETF
draft[1] you can see that such trailing bytes were called
"Clue-string" in a previous version. They are no longer part of the
standard but I guess there's no harm to still support them. So your
patch needs to be updated to support it (as it is, it causes one test
to fail). I'll do that and upload.
I didn't reproduce the bug myself : do you think it can be exploited
for code execution in the news client ?
Laurent.
[1] http://tools.ietf.org/wg/usefor/draft-ietf-usefor-cancel-lock/
signature.asc
Description: Digital signature
