base64-bytestring memory corruption bug
Hello, I want to bring to wider attention a memory bug present in base64-bytestring[1]. In summary, in some cases too few bytes are allocated for the output when performing base64url decoding. This can lead to memory corruption (which I have observed[2]), and possibly crashes (which I have not observed). I submitted a pull request[2] that fixes the issue some days ago, but did not receive a response from the maintainers yet. I understand that maintainers may be busy or unavailable, and that is fine. So I am posting here mainly to ensure that USERS are aware of the issue. To maintainers: let me know if I can provider further assistance to resolve this issue and release a fix. [1] https://github.com/haskell/base64-bytestring/issues/44 [2] https://github.com/frasertweedale/hs-jose/issues/102 [3] https://github.com/haskell/base64-bytestring/pull/45 Thanks, Fraser
Hi Fraser, do you have further information about this situation? Le 25/07/2021 à 07:50, Fraser Tweedale a écrit :
Hello,
I want to bring to wider attention a memory bug present in base64-bytestring[1]. In summary, in some cases too few bytes are allocated for the output when performing base64url decoding. This can lead to memory corruption (which I have observed[2]), and possibly crashes (which I have not observed).
I submitted a pull request[2] that fixes the issue some days ago, but did not receive a response from the maintainers yet. I understand that maintainers may be busy or unavailable, and that is fine. So I am posting here mainly to ensure that USERS are aware of the issue.
To maintainers: let me know if I can provider further assistance to resolve this issue and release a fix.
[1] https://github.com/haskell/base64-bytestring/issues/44 [2] https://github.com/frasertweedale/hs-jose/issues/102 [3] https://github.com/haskell/base64-bytestring/pull/45
Thanks, Fraser _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
-- Hécate ✨ 🐦: @TechnoEmpress IRC: Hecate WWW: https://glitchbra.in RUN: BSD
A new proposed fix is being discussed in https://github.com/haskell/base64-bytestring/pull/46. Expect a fix merged and new release sometime in the next few days. Big thanks to all involved in pinpointing and resolving this issue. Cheers, Fraser On Mon, Aug 02, 2021 at 11:52:52PM +0200, Hécate wrote:
Hi Fraser, do you have further information about this situation?
Le 25/07/2021 à 07:50, Fraser Tweedale a écrit :
Hello,
I want to bring to wider attention a memory bug present in base64-bytestring[1]. In summary, in some cases too few bytes are allocated for the output when performing base64url decoding. This can lead to memory corruption (which I have observed[2]), and possibly crashes (which I have not observed).
I submitted a pull request[2] that fixes the issue some days ago, but did not receive a response from the maintainers yet. I understand that maintainers may be busy or unavailable, and that is fine. So I am posting here mainly to ensure that USERS are aware of the issue.
To maintainers: let me know if I can provider further assistance to resolve this issue and release a fix.
[1] https://github.com/haskell/base64-bytestring/issues/44 [2] https://github.com/frasertweedale/hs-jose/issues/102 [3] https://github.com/haskell/base64-bytestring/pull/45
Thanks, Fraser _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
-- Hécate ✨ 🐦: @TechnoEmpress IRC: Hecate WWW: https://glitchbra.in RUN: BSD
_______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
Wonderful, happy to know it's been resolved! Le 03/08/2021 à 05:40, Fraser Tweedale a écrit :
A new proposed fix is being discussed in https://github.com/haskell/base64-bytestring/pull/46.
Expect a fix merged and new release sometime in the next few days.
Big thanks to all involved in pinpointing and resolving this issue.
Cheers, Fraser
On Mon, Aug 02, 2021 at 11:52:52PM +0200, Hécate wrote:
Hi Fraser, do you have further information about this situation?
Le 25/07/2021 à 07:50, Fraser Tweedale a écrit :
Hello,
I want to bring to wider attention a memory bug present in base64-bytestring[1]. In summary, in some cases too few bytes are allocated for the output when performing base64url decoding. This can lead to memory corruption (which I have observed[2]), and possibly crashes (which I have not observed).
I submitted a pull request[2] that fixes the issue some days ago, but did not receive a response from the maintainers yet. I understand that maintainers may be busy or unavailable, and that is fine. So I am posting here mainly to ensure that USERS are aware of the issue.
To maintainers: let me know if I can provider further assistance to resolve this issue and release a fix.
[1] https://github.com/haskell/base64-bytestring/issues/44 [2] https://github.com/frasertweedale/hs-jose/issues/102 [3] https://github.com/haskell/base64-bytestring/pull/45
Thanks, Fraser _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post. -- Hécate ✨ 🐦: @TechnoEmpress IRC: Hecate WWW: https://glitchbra.in RUN: BSD
_______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
-- Hécate ✨ 🐦: @TechnoEmpress IRC: Hecate WWW: https://glitchbra.in RUN: BSD
Happy to announce https://hackage.haskell.org/package/base64-bytestring-1.2.1.0 , with the fix. Thanks again for raising this. For future versions, there I'd like to put out an open invitation to the community to help harden the existing baseN libraries. Feel free to get in touch with me on their respective issue trackers. Cheers, Emily On Tue, Aug 03, 2021 at 2:44 PM, Hécate < hecate@glitchbra.in > wrote:
Wonderful, happy to know it's been resolved!
Le 03/08/2021 à 05:40, Fraser Tweedale a écrit :
A new proposed fix is being discussed in https:/ / github. com/ haskell/ base64-bytestring/ pull/ 46 ( https://github.com/haskell/base64-bytestring/pull/46 ).
Expect a fix merged and new release sometime in the next few days.
Big thanks to all involved in pinpointing and resolving this issue.
Cheers, Fraser
On Mon, Aug 02, 2021 at 11:52:52PM +0200, Hécate wrote:
Hi Fraser, do you have further information about this situation?
Le 25/07/2021 à 07:50, Fraser Tweedale a écrit :
Hello,
I want to bring to wider attention a memory bug present in base64-bytestring[1]. In summary, in some cases too few bytes are allocated for the output when performing base64url decoding. This can lead to memory corruption (which I have observed[2]), and possibly crashes (which I have not observed).
I submitted a pull request[2] that fixes the issue some days ago, but did not receive a response from the maintainers yet. I understand that maintainers may be busy or unavailable, and that is fine. So I am posting here mainly to ensure that USERS are aware of the issue.
To maintainers: let me know if I can provider further assistance to resolve this issue and release a fix.
[1] https:/ / github. com/ haskell/ base64-bytestring/ issues/ 44 ( https://github.com/haskell/base64-bytestring/issues/44 ) [2] https:/ / github. com/ frasertweedale/ hs-jose/ issues/ 102 ( https://github.com/frasertweedale/hs-jose/issues/102 ) [3] https:/ / github. com/ haskell/ base64-bytestring/ pull/ 45 ( https://github.com/haskell/base64-bytestring/pull/45 )
Thanks, Fraser _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http:/ / mail. haskell. org/ cgi-bin/ mailman/ listinfo/ haskell-cafe ( http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe ) Only members subscribed via the mailman list are allowed to post.
-- Hécate ✨ 🐦: @TechnoEmpress IRC: Hecate WWW: https:/ / glitchbra. in ( https://glitchbra.in/ ) RUN: BSD
_______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http:/ / mail. haskell. org/ cgi-bin/ mailman/ listinfo/ haskell-cafe ( http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe ) Only members subscribed via the mailman list are allowed to post.
-- Hécate ✨ 🐦: @TechnoEmpress IRC: Hecate WWW: https:/ / glitchbra. in ( https://glitchbra.in/ ) RUN: BSD
_______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http:/ / mail. haskell. org/ cgi-bin/ mailman/ listinfo/ haskell-cafe ( http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe ) Only members subscribed via the mailman list are allowed to post.
participants (3)
-
Emily Pillmore -
Fraser Tweedale -
Hécate