From 9ef5c047b5834d13e225d6d1a6a1c917b747a89f Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Tue, 4 Nov 2025 11:34:30 +0200
Subject: [PATCH] [PATCH 01/24] auth: Don't disconnect auth client when invalid
 base64 SASL input is received

The base64 input comes from untrusted client. It shouldn't cause the auth
client to disconnect, which causes other concurrent logins to be aborted.

Broken by 1486c30e191ff079bfa78e7950173bb33d8073d9

Gbp-Pq: Name CVE-2025-59028.patch
---
 src/auth/auth-request-handler.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c
index 35acb24..c0169c8 100644
--- a/src/auth/auth-request-handler.c
+++ b/src/auth/auth-request-handler.c
@@ -715,6 +715,9 @@ int auth_request_handler_auth_begin(struct auth_request_handler *handler,
 			auth_request_handler_auth_fail_code(handler, request,
 				AUTH_CLIENT_FAIL_CODE_INVALID_BASE64,
 				"Invalid base64 data in initial response");
+			/* The base64 input came from untrusted client. It's
+			   an expected auth failure, so don't disconnect the
+			   auth client. */
 			return 1;
 		}
 		initial_resp_data =
@@ -787,7 +790,10 @@ int auth_request_handler_auth_continue(struct auth_request_handler *handler,
 			auth_request_handler_auth_fail_code(handler, request,
 				AUTH_CLIENT_FAIL_CODE_INVALID_BASE64,
 				"Invalid base64 data in continued response");
-			return -1;
+			/* The base64 input came from untrusted client. It's
+			   an expected auth failure, so don't disconnect the
+			   auth client. */
+			return 1;
 		}
 	}
 
-- 
2.30.2