I have reviewed the patch and added a regression test now, thanks Bas and Ilkka for information. Florian, did you get a CVE number yet? If I get the number, I'll mention it in the NEWS file for the upcoming v2.4.1 bugfix release.
Current fix is in git: http://git.savannah.gnu.org/cgit/oath-toolkit.git/commit/?h=oath-toolkit-2-4-x&id=a31a1eef2dac134d397f3351206206c4b2bb5bfa /Simon You wrote: > On 12/02/14 02:16, Simon Josefsson wrote: > > I think it looked fine but I haven't fully analyzed it -- any chance > > someone could come up with a brief description of how to reproduce > > the problem exactly? Then I could add that recipe as a self-test > > in the package, apply the fix, and if that silences the self-test, > > I'm happy. > I think my first email (9 Dec 11:31 GMT) contains a fairly detailed > description of how to reproduce this behaviour. Please let me know if > you need additional info. > > Thanks, > > Bas
