[kgb-maintainers] DoS bug in KGB

Martín Ferrari martin.ferrari at gmail.com
Thu Sep 24 08:08:44 UTC 2009 

Dam,

On Thu, Sep 24, 2009 at 08:36, Damyan Ivanov <dmn at debian.org> wrote:

>> It was a two-fold problem: on the server side, it received utf8 wide
>> chars that passed to the sha1 module for authentication, and that
>> failed. I added the correct conversion code for that to work.
>
> I guess I shall 'release' a new version of the preliminary packages so
> that the servers can be upgraded?

I think it is a good idea. My server is hand-patched now.

> (nitpick: s/decodes/encodes/. You give sha1 a sequence of bytes, which
> represent encoded UTF-8 sequences. decode = convert from some
> representation to Perl's internal one. encode = covert from Perl chars
> to byte sequences using some encoding (latin1, whatever))

You're right, I always get confused by this :)


> If this was in /home/groups/kgb/stable/lib, then it is gone. I have
> reset the checkout.

ok, I'll put it again.

> Have you reported the bug in SOAP::Lite? We want this fixed :)

No, I was trying to see if this was present in current versions, but
then I got drowned in work :(

> For some reason, the auto-update of the stable branch checkout in
> /home/groups/kgb/stable was in a state of merge-resolving. This is now
> fixed, here's how it is supposed to work:
>
> You develop in trunk. You break things. This is good. Once in a while,
> you are fooled your work is really OK and can be used in production.
> At this point you merge it into branches/stable. A post-commit hook
> updates the checkout of branches/stable in /home/groups/kgb/stable.
>
> 'Official' KGB 'customers' shall use that checkout in their
> post-commit hooks. pkg-perl uses it, PET does, as well as KGB project
> itself. There is also a checkout of trunk
> (/home/groups/kgb/stable/trunk), which is used only by the KGB
> project, in parallel to the stable one and which send notifications in
> #kgb-test).
>
> It is complicated with these multiple layers -- developers, commits,
> repositories, hooks, clients, servers and IRC channels. I hope it is
> a bit clearer now :)

Thanks for the explanation! :)

-- 
Martín Ferrari

More information about the kgb-maintainers mailing list