From: Pádraig Brady <P@draigBrady.com>
Date: Fri, 27 Oct 2023 12:24:04 +0000 (+0100)
Subject: base32,base64: disallow non-canonical encodings
X-Git-Tag: v9.5~126
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c735f65857ea17cdc0218b3fa3223769c3d8b9c;p=thirdparty%2Fcoreutils.git

base32,base64: disallow non-canonical encodings

This will make decoding more resilient to corruption
whether due to transmission errors or nefarious adjustment.
See https://eprint.iacr.org/2022/361.pdf

* gnulib: Update to commit 3f463202bd enforcing canonical encoding.
* tests/basenc/base64.pl: Add test cases, and adjust existing cases.
* NEWS: Mention the change in behavior.
---

diff --git a/NEWS b/NEWS
index 1dfeb7390a..3021211dcf 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,9 @@ GNU coreutils NEWS                                    -*- outline -*-
   base32 and base64 no longer require padding when decoding.
   Previously an error was given for non padded encoded data.
 
+  base32 and base64 have improved detection of corrupted encodings.
+  Previously encodings with non zero padding bits were accepted.
+
   basenc --base16 -d now supports lower case hexadecimal characters.
   Previously an error was given for lower case hex digits.
 
diff --git a/gnulib b/gnulib
index e0ae1a7f32..3f463202bd 160000
--- a/gnulib
+++ b/gnulib
@@ -1 +1 @@
-Subproject commit e0ae1a7f324d6b9462735273bc5a2848c712f883
+Subproject commit 3f463202bdd8684c649ee9eb5d9ba867dc6e8f08
diff --git a/tests/basenc/base64.pl b/tests/basenc/base64.pl
index 40c6c3d070..0dc8dfe376 100755
--- a/tests/basenc/base64.pl
+++ b/tests/basenc/base64.pl
@@ -124,11 +124,15 @@ sub gen_tests($)
         push @Tests, (
           ['baddecode', '--decode', {IN=>'a'}, {OUT=>""},
           {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
-          ['paddecode2', '--decode', {IN=>'ab'}, {OUT=>"i"}],
-          ['paddecode3', '--decode', {IN=>'Zzz'}, {OUT=>"g<"}],
+          ['paddecode2', '--decode', {IN=>'aQ'}, {OUT=>"i"}],
+          ['paddecode3', '--decode', {IN=>'Zzw'}, {OUT=>"g<"}],
           ['baddecode4', '--decode', {IN=>'Zz='}, {OUT=>"g"},
           {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
           ['baddecode5', '--decode', {IN=>'Z==='}, {OUT=>""},
+          {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
+          ['baddecode6', '--decode', {IN=>'SB=='}, {OUT=>"H"},
+          {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}],
+          ['baddecode7', '--decode', {IN=>'SGVsbG9='}, {OUT=>"Hello"},
           {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}]
         );
     }