[kgb-maintainers] DoS bug in KGB

Damyan Ivanov dmn at debian.org
Thu Sep 24 06:36:06 UTC 2009


-=| Martín Ferrari, Sun, Sep 20, 2009 at 08:33:35PM +0200 |=-
> Hi there,
> 
> today the 3 kgb bots died suddenly, and I started taking a look. The
> origin was a commit by Raphael Hertzog that had some extended chars in
> the commit log (it's seems we're so boring as to never use them :)).

Damn UTF-8 we all love :)

> It was a two-fold problem: on the server side, it received utf8 wide
> chars that passed to the sha1 module for authentication, and that
> failed. I added the correct conversion code for that to work.

I guess I shall 'release' a new version of the preliminary packages so 
that the servers can be upgraded?

> In the client side, it stopped being able to authenticate, because 
> the
> strings were handled differently. SVN gives utf-8 encoded *byte
> sequences*, so perl treats them as legacy-encoded or something like
> that :)
> I added the code that tries to automatically detect if the strings are
> legacy or utf and then convert them to proper utf8 *char* sequences
> and uses those for SOAP (so it can faithfully transmit them). Then
> decodes them for sha1 generation.

(nitpick: s/decodes/encodes/. You give sha1 a sequence of bytes, which 
represent encoded UTF-8 sequences. decode = convert from some 
representation to Perl's internal one. encode = covert from Perl chars 
to byte sequences using some encoding (latin1, whatever))

> This triggered another bug. SOAP::Lite had an ugly hack to decode 
> utf8
> (instead of using utf8::decode) that doesn't seem to work. I left a
> modified copy of one file in the alioth tree so the post-commit hook
> uses it. I need to see if this is still present in current SOAP:Lite
> versions, but I don't have any environment to test this outside of
> alioth right now.

If this was in /home/groups/kgb/stable/lib, then it is gone. I have 
reset the checkout.

Have you reported the bug in SOAP::Lite? We want this fixed :)

> I commited all this to trunk/, and tried to commit to 
> branches/stable.
> But I really don't understand how it is supposed to work. Dam, you
> might be able to help here.
> In the repo, brances/stable/debian/changelog says version 0.04
> released. But the tree is identical to tags/0.03... So I really don't
> get it :)

For some reason, the auto-update of the stable branch checkout in 
/home/groups/kgb/stable was in a state of merge-resolving. This is now 
fixed, here's how it is supposed to work:

You develop in trunk. You break things. This is good. Once in a while, 
you are fooled your work is really OK and can be used in production. 
At this point you merge it into branches/stable. A post-commit hook 
updates the checkout of branches/stable in /home/groups/kgb/stable.

'Official' KGB 'customers' shall use that checkout in their 
post-commit hooks. pkg-perl uses it, PET does, as well as KGB project 
itself. There is also a checkout of trunk 
(/home/groups/kgb/stable/trunk), which is used only by the KGB 
project, in parallel to the stable one and which send notifications in 
#kgb-test).

It is complicated with these multiple layers -- developers, commits, 
repositories, hooks, clients, servers and IRC channels. I hope it is 
a bit clearer now :)

-- 
dam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/kgb-maintainers/attachments/20090924/85712405/attachment.pgp>


More information about the kgb-maintainers mailing list