Ticket #529 (new defect)
Encryption breaks with taint errors with Crypt::CBC 2.27 and newer
| Reported by: | rjl@… | Owned by: | rjl |
|---|---|---|---|
| Priority: | normal | Milestone: | post-1.0.3 triage |
| Component: | amavisd-maia | Version: | 1.0.2 |
| Severity: | normal | Keywords: | encryption crypt::cbc taint |
| Cc: |
Description
In Crypt::CBC 2.27 a new taint check was added to verify the integrity of the supplied key. In the maia_encrypt_text() subroutine of amavisd-maia we go to great lengths to untaint the key before passing it to Crypt::CBC, but taint errors still occur and encryption fails for some reason, resulting in a fatal error.
It is not entirely clear why the taint check is producing a false positive in this case, but perhaps an alternate method of untainting the key will be required. Standalone testing with the encryption and decryption routines works properly and does not produce taint errors, but when called in the context of amavisd-maia it does.
On the plus side, this suggests that fixing the taint problem might be enough to get amavisd-maia working properly with modern versions of Crypt::CBC, since the taint-checking change appears to be the only functional difference affecting Maia.
