Bug#487284: marked as done (onak does not escape colon characters in key search results)

Tue, 02 Jun 2009 09:31:14 -0700 

Your message dated Tue, 02 Jun 2009 16:02:05 +0000
with message-id <[email protected]>
and subject line Bug#487284: fixed in onak 0.3.7-1
has caused the Debian Bug report #487284,
regarding onak does not escape colon characters in key search results
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
487284: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487284
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package:        onak   
Version:        0.3.2-1.1 

[output of reportbug at the end]

Some adventurous programmers I know are working on a system that uses
PGP certificate user ids in unusual ways.  Some of the userids are
essentially URIs in this system. The system needed to talk to a local
keyserver, so we set one up using onak and mathopd, which was easy and
worked very well, but this led to us finding a minor little bug in onak.

When a remote client requests a lookup of a key to which are attached
user ids containing the ':' (colon) character, onak does not escape the
colon in its response, which results in the user seeing an incorrect
user id.  

This would also affect normal user id comments and other strings in user
ids that might contain colons, even for user ids that are not URI-like.

DETAILS:

For example, if onak's data contains a key with the userid

 ssh://example.org

attached, and a user issues the command:

 # gpg --keyserver my.onak.example.org --search-keys example
 
The response comes back:
 
 gpg: searching for "example" from hkp server my.onak.example.org
 (1)     ssh
           2048 bit RSA key ADF1B2A9757DEC5F003051A265EDC684428B63AA,
 created: 2008-06-20

where it should be: 

 gpg: searching for "example" from hkp server my.onak.example.org
 (1)     ssh://example.org
           2048 bit RSA key ADF1B2A9757DEC5F003051A265EDC684428B63AA,
 created: 2008-06-20

Everything after the colon was truncated in the response, which could be
a problem when distinguishing a key from another by looking at its user
id. 

One can see the unescaped colon here in onak's response to a wget query: 

 # wget -q -O- 
'http://my.onak.example.org:11371/pks/lookup?op=index&options=mr&search=example'
 info:1:1
 pub:ADF1B2A9757DEC5F003051A265EDC684428B63AA:1:2048:1213945978::
 uid:ssh://example.org

Whereas from other keyservers the response would have been something
like

 info:1:1
 pub:ADF1B2A9757DEC5F003051A265EDC684428B63AA:1:2048:1213945978::
 uid:ssh%3A//example.org

The above was confirmed by checking public keyservers known to be
running other keyserver software.

Presumably this affects other characters besides colon, but I have not
checked, and it might not be relevant, as colons seem to be used as
delimiters by the recipient (gpg in this case).

Thanks for listening, keep up the good work.

--mjgoins

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-powerpc
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages onak depends on:
ii  adduser                3.102             Add and remove users and
groups
ii  libc6                  2.3.6.ds1-13etch5 GNU C Library: Shared
libraries
ii  libdb4.2               4.2.52+dfsg-2     Berkeley v4.2 Database
Libraries [

Versions of packages onak recommends:
ii  mathopd [httpd]               1.5p5-1    Very small, yet very fast

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: onak
Source-Version: 0.3.7-1

We believe that the bug you reported is fixed in the latest version of
onak, which is due to be installed in the Debian FTP archive:

onak_0.3.7-1.diff.gz
  to pool/main/o/onak/onak_0.3.7-1.diff.gz
onak_0.3.7-1.dsc
  to pool/main/o/onak/onak_0.3.7-1.dsc
onak_0.3.7-1_amd64.deb
  to pool/main/o/onak/onak_0.3.7-1_amd64.deb
onak_0.3.7.orig.tar.gz
  to pool/main/o/onak/onak_0.3.7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan McDowell <[email protected]> (supplier of updated onak package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 02 Jun 2009 15:51:09 +0100
Source: onak
Binary: onak
Architecture: source amd64
Version: 0.3.7-1
Distribution: unstable
Urgency: low
Maintainer: Jonathan McDowell <[email protected]>
Changed-By: Jonathan McDowell <[email protected]>
Description: 
 onak       - OpenPGP Key Server
Closes: 487284 520117
Changes: 
 onak (0.3.7-1) unstable; urgency=low
 .
   * New upstream release
     * Fix escaping of : in HKP output. (Closes: #487284)
     * Build with libdb4.7 (Closes: #520117)
Checksums-Sha1: 
 f4ef1f81ece313e1406f4e62441e1c7bfb2b0ff3 1627 onak_0.3.7-1.dsc
 c8f67a05f4c2d2dab2b210487e845eae57c2cd6e 239512 onak_0.3.7.orig.tar.gz
 0c7db17209e7a6d818af2dd448666655e70f4365 3162 onak_0.3.7-1.diff.gz
 62f5edf4c85ddc37b49a8bfa16b3ed744bc2dcd6 345232 onak_0.3.7-1_amd64.deb
Checksums-Sha256: 
 37ca4c09a5685cd9a37bd733c6a73dc69a4b235c232afec3147e93943481c61e 1627 
onak_0.3.7-1.dsc
 e05f7e574ca7e5664ac38f278b1df96e3c76d029970c41edd99440f11cc84b82 239512 
onak_0.3.7.orig.tar.gz
 4b08f2bb842666936185d8fbd7b978e18c4f7bc2e10cbb5ef968f2d56685274b 3162 
onak_0.3.7-1.diff.gz
 da14d5c85aef785c2b7b621d89b1b881078abb2be0c541b7859145712e630965 345232 
onak_0.3.7-1_amd64.deb
Files: 
 9e87b5669764366078c0dac7f98a6d4a 1627 net optional onak_0.3.7-1.dsc
 32c1c832fb7c1e0e498f6e0ab7141bc6 239512 net optional onak_0.3.7.orig.tar.gz
 4b224925d93cc213a46166050b8a72b1 3162 net optional onak_0.3.7-1.diff.gz
 09fec4bb089547d998a8ffef26b537b5 345232 net optional onak_0.3.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJKJUSIAAoJEP8WL8XPP7rRZasQAK9HDCsXAy4LtsFN2G3R2F4t
mxfO10+o/5KzECtXRe+d2AYJ8JE0Sv0Rt4cHGr2p2GoH9t0R2X4UeWX/BJ/ehaWb
9m0/hqGcVrgdK5NTrf/Uc86uBNP831DWAD0YSq5NF1pqneLtG0uYjuvNBirZObun
1PEi/HHo9AeoGs2tmLOgDIPi47SuvS7rlBriTSJSN1Xq4OEiZ14/rPzs212gt1Jn
7HpB+afjxwiJfSoD0fe9WuH9swJ1dDDOnk/LaKkbp2vJxjyoU0tHTtTFBbKdvDUB
KULTC2btVArZGJJJF7W9ufkjub5eEMCtMxF7PYkcBjiGb1q1Keq545ii/ZRFCEsd
gq+t9i6okRZnOpfUtsUl8nxcWiBE5fO6rD6BCNfsKXxBbpyORvurVr8oJSCAcGcw
BOUnqp5K1HZe9SndcQpklPHNQrag8CTuCDBTo4WxUghUnsGNS3gLz7ZqKeMyvyaO
8fMdzXiMdtDfSZ4jcFKhBuTvMIDQCH18w50xF3uX61O0LZ1ouw+HgGDiBiNteRkK
gMXJgXWBHeBfB3o3uGfZG6wMpZiWxNMMQacEP918mj3MRXTGY8OlyGM57YRwi5/8
dHSkECSaEqJ3efjpo5tDQLPAt/ZRNVLBKLdKDGd/MTw1Xo+HQXPHenFudc5ORmEP
H7SqaAzkR9HCV5wSUnvG
=IKTy
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to