[PATCH] login-common: Only accept base64 in sasl

Gbp-Pq: Name CVE-2026-33603.patch

diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
index 2ad85aba7191c99751ac539462888e11862abe28..1858edf92be1fe876519d521a63794f08058283a 100644 (file)
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -3,6 +3,7 @@
 #include "hostpid.h"
 #include "login-common.h"
 #include "array.h"
+#include "base64.h"
 #include "iostream.h"
 #include "istream.h"
 #include "ostream.h"
@@ -865,6 +866,14 @@ void client_auth_respond(struct client *client, const char *response)
                return;
        }
 
+       /* Only accept base64 */
+       for (size_t i = 0; response[i] != '\0'; i++) {
+               if (!base64_is_valid_char(response[i]) && response[i] != '=') {
+                       client_auth_fail(client, "Invalid base64 in response");
+                       return;
+               }
+       }
+
        client->auth_client_continue_pending = FALSE;
        client_set_auth_waiting(client);
        sasl_server_auth_continue(client, response);