Opened 10 years ago

Last modified 9 years ago

#529 new defect

Encryption breaks with taint errors with Crypt::CBC 2.27 and newer

Reported by: rjl@… Owned by: rjl
Priority: normal Milestone: post-1.0.3 triage
Component: amavisd-maia Version: 1.0.2
Severity: normal Keywords: encryption crypt::cbc taint
Cc:

Description

In Crypt::CBC 2.27 a new taint check was added to verify the integrity of the supplied key. In the maia_encrypt_text() subroutine of amavisd-maia we go to great lengths to untaint the key before passing it to Crypt::CBC, but taint errors still occur and encryption fails for some reason, resulting in a fatal error.

It is not entirely clear why the taint check is producing a false positive in this case, but perhaps an alternate method of untainting the key will be required. Standalone testing with the encryption and decryption routines works properly and does not produce taint errors, but when called in the context of amavisd-maia it does.

On the plus side, this suggests that fixing the taint problem might be enough to get amavisd-maia working properly with modern versions of Crypt::CBC, since the taint-checking change appears to be the only functional difference affecting Maia.

Change History (1)

comment:1 Changed 9 years ago by mortonda@…

  • Milestone changed from 1.0.3 to post-1.0.3 triage

I'm inclined to not worry about this - we are really not keen on how the encryption works anyway, and possibly should just rip it out completely.

Note: See TracTickets for help on using tickets.