[SECURITY] [DLA 1283-1] python-crypto security update

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: python-crypto
Version: 2.6-4+deb7u8
CVE ID : CVE-2018-6594
Debian Bug : 88


python-crypto generated weak ElGamal key parameters, which allowed attackers to
obtain sensitive information by reading ciphertext data (i.e., it did not have
semantic security in face of a ciphertext-only attack).

For Debian 7 "Wheezy", these problems have been fixed in version
2.6-4+deb7u8.

We recommend that you upgrade your python-crypto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE1jZRJqkttWDGJ6ztF4RXf4EfbqwFAlqFOA4ACgkQF4RXf4Ef
bqymzg/+KGjsW0pGUiYyS1EfUDuLhi2vo+qu3REDOrmuP5nTlgmAgUFn3J5EL6ac
klJ7T3NtzM+JJvKeAiSK2HNFDfyIiMU6WCblK7TTYobEWW5OECtYujUbQzAZgYkL
nTvecYjlBj1/K+W6WwAxkkEPuQLh2uCIwqt2efNLJ9CH8zW7vBTKiv+zd3g3lJRI
wZEDh9D7xgYEOic+ADnvNaoXAJSgakaMm7j86JqUqZ201agpjbktGDblo6+nkp4G
B4Cfca8LlHnkS0zsnfr9Ea8gXxvdOoAmJb3GSlcxKSAHBswVeUuP1smR5+SkETpQ
dQ5NR3wuNMe3mhdDIumuAUYMs6g45eRgSMCR79pj4DA7/UycwJIb4FO8f8ZYu1kc
UrwouyDOMisOdpEeTzdBxPfFOG2qbBz8r51ZMeeO0ttF0Zgacp4P1jVuQAmSQ74L
k/CV1BuyyQaNor0h6lI9GahygGwo16pmZiW37Lfl7y2B2PV/IQkrBrjEVTsR3YqE
3hVK/ggP4iO/JQ6OK0kBH3lIQffqETZhoutI+2IIYW6KWHaT++LrfwABpTmg1NuZ
qS2EHHRakiIcdxwFMuz/AczI+1G7WtledW2o2gMhjGNgfEmnza+Cr/F9mRI4j/mx
cz0E2KxjRNXqYoy0rYJKVEqz34hvz28yYRZLMu1zht2UzTsWWqA=
=pHfV
-END PGP SIGNATURE-

Accepted python-crypto 2.6-4+deb7u8 (source i386 all) into oldoldstable

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 09 Feb 2018 16:41:36 +1100
Source: python-crypto
Binary: python-crypto python-crypto-dbg python3-crypto python3-crypto-dbg 
python-crypto-doc
Architecture: source i386 all
Version: 2.6-4+deb7u8
Distribution: wheezy-security
Urgency: high
Maintainer: Sebastian Ramacher 
Changed-By: Brian May 
Description:
 python-crypto - cryptographic algorithms and protocols for Python
 python-crypto-dbg - cryptographic algorithms and protocols for Python (debug 
extensio
 python-crypto-doc - cryptographic algorithms and protocols for Python 
(documentation)
 python3-crypto - cryptographic algorithms and protocols for Python 3
 python3-crypto-dbg - cryptographic algorithms and protocols for Python 3 
(debug extens
Changes:
 python-crypto (2.6-4+deb7u8) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2018-6594: fix generating weak ElGamal key parameters, which allowed
 attackers to obtain sensitive information by reading ciphertext data.
Checksums-Sha1:
 6defd19a0df3b8e3a7cd71c8f991366d03191f81 2399 python-crypto_2.6-4+deb7u8.dsc
 c17e41a80b3fbf2ee4e8f2d8bb9e28c5d08bbb84 443445 python-crypto_2.6.orig.tar.gz
 cde038ef309510856be061695450bc7e5fb31d35 18050 
python-crypto_2.6-4+deb7u8.debian.tar.gz
 3ff3f3c47fdee76491705046e76957ba221508ca 521662 
python-crypto_2.6-4+deb7u8_i386.deb
 aeaf743d300a28ea71434c736d6f62a8662db847 1357218 
python-crypto-dbg_2.6-4+deb7u8_i386.deb
 2ee9fc40880ffe55939396a9022513cec93bf193 392246 
python3-crypto_2.6-4+deb7u8_i386.deb
 08e513fa99192f010d1c30f63fe788ce6265fc01 691888 
python3-crypto-dbg_2.6-4+deb7u8_i386.deb
 2f37833581eeed1b15db8edafda86839372d99df 158078 
python-crypto-doc_2.6-4+deb7u8_all.deb
Checksums-Sha256:
 2c1d4bf90d3d51e47327343af0dfb0117b12aeacd8f3663f499a8c3edd4af055 2399 
python-crypto_2.6-4+deb7u8.dsc
 7293c9d7e8af2e44a82f86eb9c3b058880f4bcc884bf3ad6c8a34b64986edde8 443445 
python-crypto_2.6.orig.tar.gz
 ab121d9a7a2ef94eaa870b059f70b689687c3eb399eb418f24c5523ebcc9bfc0 18050 
python-crypto_2.6-4+deb7u8.debian.tar.gz
 24409358c2e45a54ab561adc89bda3918865b1756e6aae8ffcd8a38d7c86e370 521662 
python-crypto_2.6-4+deb7u8_i386.deb
 66c044db2c72045cee01214614e48f8fc874b4e5c2ace8b8b53e34b829dfef86 1357218 
python-crypto-dbg_2.6-4+deb7u8_i386.deb
 c48c5c0d8728f5ffd220b6168543d842b47fcc1c0f46770e5982b97058b0ad1e 392246 
python3-crypto_2.6-4+deb7u8_i386.deb
 3c4b76d699bd29aa856838f6ef28999bca0997c32ef327e4647c69033271db51 691888 
python3-crypto-dbg_2.6-4+deb7u8_i386.deb
 dfc5b5c168d0b5ecefd9f7b858f9d12f124833e836fc7d133720b4024298ade1 158078 
python-crypto-doc_2.6-4+deb7u8_all.deb
Files:
 2064ca904f58f98e5f3e192c0c592842 2399 python optional 
python-crypto_2.6-4+deb7u8.dsc
 88dad0a270d1fe83a39e0467a66a22bb 443445 python optional 
python-crypto_2.6.orig.tar.gz
 892f5e5d13798bdeaee6cb910d907fc5 18050 python optional 
python-crypto_2.6-4+deb7u8.debian.tar.gz
 9a30ec51bd53bd9e89e3ab469181a013 521662 python optional 
python-crypto_2.6-4+deb7u8_i386.deb
 a20c47acb3fe62444aea52cf06f237f4 1357218 debug extra 
python-crypto-dbg_2.6-4+deb7u8_i386.deb
 690f32ecddaab9b59e03e600949c9d59 392246 python optional 
python3-crypto_2.6-4+deb7u8_i386.deb
 da62a49f633f469b4e2425097c2ab755 691888 debug extra 
python3-crypto-dbg_2.6-4+deb7u8_i386.deb
 1ce14ce95881a4cf65668e5e86c13fda 158078 doc optional 
python-crypto-doc_2.6-4+deb7u8_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE1jZRJqkttWDGJ6ztF4RXf4EfbqwFAlqFNGAACgkQF4RXf4Ef
bqyMHA/+MhMZ+sSE5KxPCQ9nKm/XEoFG8maMJ5LTzVc/R/pPtESEvHu0O1e22UCy
0tQP+dBOW03Z+7ZwzRSriWy9l0pb5pu9LU2Mn+2ibvNpIBEvVknlOdPkoX5dj0F9
OIBcjln92SUBweHwpdrknoi7o3v38Cc7frE4LrPL5ZVTzH1gpjzc7emXXwTlefMw
pMNeB6EXn1kXOkN277ReYOHoiZUhscdlq5CxY8NYXsylzIlrEXjKhYa4O+f1EnoZ
YejgoRkQtK2V+Zp/RYYoVR2bIJxVTUPGXAlq02KQbNQolNdDTHKVII2rgrKq0n+h
Cs+NcmtdOOPPrq129R+OToy/f9cgYTuNZHBFmB+vraj89WEIufw2cqex47eyRtZd
lxqY0UuQFEDuQzTsD2hEyy+IaauPK82MmtbqUr1J9sIapRrPZ+IDWrSbNH9vc2Qh
ocL27V4Sg2a/bkhjrW1V5qpbsVLEoxPyTewNgVXkJFKF304W86GN0qoraInlqLTe
V7iFW74363XhezbGRrADX35P33LCLE7t6EHrO+r5Lrv+GofCFyQ2EjfwC1J8Cpi6
PX2wcoqGCXfx8fBREn757i2UJgsHI1mL1glVZKIdqJEGYiZqMDB8jfTWYlbVVIV9
WVup16O6QYC0bvZnW3pHX6c0VeqkZaonbQFEQJM32zSnUsucaQo=
=lDk/
-END PGP SIGNATURE-

Accepted leptonlib 1.69-3.1+deb7u1 (source amd64) into oldoldstable

[Abhijith PA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 13 Feb 2018 23:36:39 +0530
Source: leptonlib
Binary: libleptonica-dev liblept3 leptonica-progs
Architecture: source amd64
Version: 1.69-3.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Jeff Breidenbach 
Changed-By: Abhijith PA 
Description: 
 leptonica-progs - sample programs for Leptonica image processing library
 liblept3   - image processing library
 libleptonica-dev - image processing library
Closes: 889759
Changes: 
 leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Debian LTS Team.
   * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability
 (closes: #889759)
Checksums-Sha1: 
 f613b10c9fc4cf44df14ad9e5e227f5850813690 1886 leptonlib_1.69-3.1+deb7u1.dsc
 71526247b299bcc4abf691bc6766504abeec 7273945 leptonlib_1.69.orig.tar.gz
 e9561ca5d53ca4104f48cc86b25a8d7353d69d62 7282 
leptonlib_1.69-3.1+deb7u1.debian.tar.gz
 3d32d6d49617a6b57454c5af4c8fa5628716c90e 1277690 
libleptonica-dev_1.69-3.1+deb7u1_amd64.deb
 19cd01035fe49909a34f6ce33fcd0589b7721ff3 772016 
liblept3_1.69-3.1+deb7u1_amd64.deb
 80aaa9092d109bd3e7379ae7ce93ccdd6fa0d62d 215226 
leptonica-progs_1.69-3.1+deb7u1_amd64.deb
Checksums-Sha256: 
 5f2e5254bc8ef014ed3889567a3d55948c863a388dc62a5943de00569209a5d7 1886 
leptonlib_1.69-3.1+deb7u1.dsc
 08c6fa5d0920b2ae83f1d0f257f8d08783ab88bcf263136cb7a62635e60128f0 7273945 
leptonlib_1.69.orig.tar.gz
 e4f105fdf5160e9e00ee2af9018296a51d526d953db98443f6bee9e4f515c13a 7282 
leptonlib_1.69-3.1+deb7u1.debian.tar.gz
 cd09ceff66f9f03e32db82563a5006ea2a9c6388659df16aec4984e2030e6027 1277690 
libleptonica-dev_1.69-3.1+deb7u1_amd64.deb
 984dc72a6dd9c9d48bd5b58518fca055616afb8de02187c1dacb523b8d717ca1 772016 
liblept3_1.69-3.1+deb7u1_amd64.deb
 b1bfda7ede3d55d15d37e509fbb7191cb75c85584102fe2031d9870c51f0885f 215226 
leptonica-progs_1.69-3.1+deb7u1_amd64.deb
Files: 
 22d8ea33c00d866c40a525d04ef3be85 1886 graphics optional 
leptonlib_1.69-3.1+deb7u1.dsc
 7d95bb4892188ee7fa8aeebb7174d1ae 7273945 graphics optional 
leptonlib_1.69.orig.tar.gz
 c38914e9c18a0fdd18f89e821938339d 7282 graphics optional 
leptonlib_1.69-3.1+deb7u1.debian.tar.gz
 99058ffd70a7d9a94b1612137b4f6a09 1277690 libdevel optional 
libleptonica-dev_1.69-3.1+deb7u1_amd64.deb
 98cf1291b6bf2a82efb4b20d352934e2 772016 libs optional 
liblept3_1.69-3.1+deb7u1_amd64.deb
 b51b5b6b2617da59547882fcb0fa5b9d 215226 graphics optional 
leptonica-progs_1.69-3.1+deb7u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAlqE/FEACgkQLNd4Xt2n
sg8oahAAi/SKcyANxph4VOy3kWDhKvh/MlbllRq/ioNMHgKOkT1tgIaqt1ldFKsC
LIlx+j/6CC57UxY0MbnAjoBbwMO8S3hS+LfX0fMjQG5i/nm3+fhhWm2Af117vt5f
yBmHLnafRYLwy0sApkLeoMmp/YVcLo553jgZlKbE1Mot6ciNhKpQAXCqAlpfSyxk
hqSdWtLDJ+sDLRT8mSDceLIiO/mI0NGkwkY9MgIgWKs0BZ6K626nyOwzJ/0Z7fKn
T8OyKzeufBbtkeQhNyYTYiNHZqyqgmdSf1RZX0yMUbE2fz3RQyy9OKohZn252JGU
2oAY/DiNvs8mrp9gzuns7o3tBQCDry4AGYOSzG9ylS0iKCqUxQAV6sjmLmaue335
venW5kA0zoGcE/HWzLfYKWIa0zX7osInyk/wXYF43fDvfsOTqTeC0HY+qsyCQblM
Oe7stxPzLC+sb4ptwKpH7m+pp7f+JBNwB7JCoFNSS3BvQuIIltn5v64CUFwsVIKg
6GCnDkwHMBPzqJRKIuszE4G4srN9nKE0RQ1i6rNmLOeCSBWhkRAER5PglERxYt1J
NxUfOTUbxcnYK8ofQe50xEj1awYy91EHi7iWPMtQRT4d84CC1mym21WQHSqpa118
hlPibBXGzs8U0otw44Xuzck232Fb3RXmKG1xXCPYCiHgCBDeFXA=
=cByK
-END PGP SIGNATURE-

Re: upload leptonlib

[Roberto C . Sánchez]

On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> Hello.
> 
> I prepared LTS security update for leptonlib. Please review and upload.
> You can find debdiff along with the mail.
> link:
> https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> 

Abhijith,

I have reviewed and uploaded the package. While you backported the
upstream fix, I feel like their approach falls under item #2 of "The Six
Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
help but wonder if another vulnerability will be uncovered later that
uses different characters that are not being checked.

In any event, once you receive the ACCEPT notice from the archive
software you should be able to publish the DLA.

Regards,

-Roberto

-- 
Roberto C. Sánchez

upload leptonlib

[Abhijith PA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello.

I prepared LTS security update for leptonlib. Please review and upload.
You can find debdiff along with the mail.
link:
https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc

I done following tests.

- - Installed new build in a wheezy machine
- - Tested against POC from
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
- - Ran all regression tests provided in prog/alltests_reg.c
- - Ran prog/comparetest.c as it is one of the program which uses `gplot`

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqEAJ4ACgkQhj1N8u2c
KO8uBQ//WE7DHX6XPpvmASeAI0clLUBw2zzVn8xM6w2uAqCWKtXeS0wqsDgy4urj
JS9ggebmHC+aeY8EqM18Cla/TIFXnSCXCOT5hG4fK68aD2FnZ1TZwtSP5GtxYhVN
YD3D3FR9astbhLEReLytLxSwXCbGeaDNI7mSi5rnN5eoFdMVhG2ZaVBvzmcE5kSt
9BBKQqgLJ2MzkPQxi9JiwrL8au1WO3A3t8HtOZKf80UcBECiMOqkjmVEiW2/hA0n
bGDb8J5f/QC+6UYIiIkEb2o2CMuEmplOm6G43vm+XZjqWP6XpfFFnHHhKnHDeQrQ
Z9IRJ4RnFI2B5+l3vwC6WS6e/j+PsuE3sk1MBLlAGLAF69cspSOBxV4MvBQQFvCB
5YHW02Q/VKvejneSOsm/IIrZCau4JGC9uHCzSLRTa3tMg6HZd6CkI/B4l+IFg1Eo
y61hb0sVJT5vgA5eNxv5G+B8fqNQTHNc0kmsef1OyReOA8dEkG1Q2OCayFcW6iQW
JOUzHOP3R8pFiF8eLToxrY32KPsYh5S3KIgD4sNbjw5J23sEKY1Dn1uXgnLNL7BG
hpJoTdwProANQWBW2iY5cxYyTqP3PSk6fYWx5VPAWNDOg0PnMxO4hCed6mrg0hvH
XA1PeoxFEREvCyChxWDZL4Yg9ggB5Evba/qIwcTpNPC0Ma7KS9Q=
=fUrC
-END PGP SIGNATURE-
diff -Nru leptonlib-1.69/debian/changelog leptonlib-1.69/debian/changelog
--- leptonlib-1.69/debian/changelog 2012-07-19 21:39:52.0 +
+++ leptonlib-1.69/debian/changelog 2018-02-13 18:06:39.0 +
@@ -1,3 +1,11 @@
+leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability
+(closes: #889759)
+
+ -- Abhijith PA   Tue, 13 Feb 2018 23:36:39 +0530
+
 leptonlib (1.69-3.1) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch 
leptonlib-1.69/debian/patches/CVE-2018-3836.patch
--- leptonlib-1.69/debian/patches/CVE-2018-3836.patch   1970-01-01 
00:00:00.0 +
+++ leptonlib-1.69/debian/patches/CVE-2018-3836.patch   2018-02-13 
18:06:39.0 +
@@ -0,0 +1,125 @@
+Description: Fix CVE-2018-3836.patch
+ An exploitable command injection vulnerability exists in the gplotMakeOutput 
+ function of Leptonica. A specially crafted gplot rootname argument can cause 
a 
+ command injection resulting in arbitrary code execution. 
+ An attacker can provide a malicious path as input to an application that 
passes 
+ attacker data to this function to trigger this vulnerability. Patch 
backported from
+ upstream. 
+ 
+Author: Abhijith PA 
+Origin: 
https://build.opensuse.org/package/view_file/home:kbabioch:branches:openSUSE:Leap:42.3:Update/leptonica/CVE-2018-3836.patch
+Bug: https://github.com/DanBloomberg/leptonica/issues/303
+Bug-Debian: https://bugs.debian.org/889759
+Last-Update: 2018-02-13
+
+Index: leptonlib-1.69/src/gplot.c
+===
+--- leptonlib-1.69.orig/src/gplot.c
 leptonlib-1.69/src/gplot.c
+@@ -129,9 +129,10 @@ gplotCreate(const char  *rootname,
+ const char  *xlabel,
+ const char  *ylabel)
+ {
+-char   *newroot;
+-charbuf[L_BUF_SIZE];
+-GPLOT  *gplot;
++char*newroot;
++char buf[L_BUF_SIZE];
++l_int32  badchar;
++GPLOT   *gplot;
+ 
+ PROCNAME("gplotCreate");
+ 
+@@ -141,6 +142,9 @@ GPLOT  *gplot;
+ outformat != GPLOT_EPS && outformat != GPLOT_X11 &&
+ outformat != GPLOT_LATEX)
+ return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL);
++stringCheckForChars(rootname, "`;&|><\"?*", );
++if (badchar)  /* danger of command injection */
++return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL);
+ 
+ if ((gplot = (GPLOT *)CALLOC(1, sizeof(GPLOT))) == NULL)
+ return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL);
+@@ -360,18 +364,10 @@ l_int32  ignore;
+ gplotGenDataFiles(gplot);
+ 
+ #ifndef _WIN32
+-if (gplot->outformat != GPLOT_X11)
+-snprintf(buf, L_BUF_SIZE, "gnuplot %s &", gplot->cmdname);
+-else
+-snprintf(buf, L_BUF_SIZE,
+- "gnuplot -persist -geometry +10+10 %s &", gplot->cmdname);
++snprintf(buf, L_BUF_SIZE, "gnuplot -persist %s", gplot->cmdname);
+ #else
+-   if (gplot->outformat != GPLOT_X11)
+-   snprintf(buf, L_BUF_SIZE, "wgnuplot %s", gplot->cmdname);
+-   else
+-   snprintf(buf, L_BUF_SIZE,
+-   "wgnuplot -persist %s", gplot->cmdname);
+-#endif  /* _WIN32 */
++snprintf(buf, L_BUF_SIZE, "wgnuplot -persist %s", gplot->cmdname);
++#endif /* _WIN32 */
+ ignore = system(buf);
+ return 0;
+ }
+Index: leptonlib-1.69/src/utils.c
+===
+---