[SECURITY] [DLA 1283-1] python-crypto security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: python-crypto Version: 2.6-4+deb7u8 CVE ID : CVE-2018-6594 Debian Bug : 88 python-crypto generated weak ElGamal key parameters, which allowed attackers to obtain sensitive information by reading ciphertext data (i.e., it did not have semantic security in face of a ciphertext-only attack). For Debian 7 "Wheezy", these problems have been fixed in version 2.6-4+deb7u8. We recommend that you upgrade your python-crypto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE1jZRJqkttWDGJ6ztF4RXf4EfbqwFAlqFOA4ACgkQF4RXf4Ef bqymzg/+KGjsW0pGUiYyS1EfUDuLhi2vo+qu3REDOrmuP5nTlgmAgUFn3J5EL6ac klJ7T3NtzM+JJvKeAiSK2HNFDfyIiMU6WCblK7TTYobEWW5OECtYujUbQzAZgYkL nTvecYjlBj1/K+W6WwAxkkEPuQLh2uCIwqt2efNLJ9CH8zW7vBTKiv+zd3g3lJRI wZEDh9D7xgYEOic+ADnvNaoXAJSgakaMm7j86JqUqZ201agpjbktGDblo6+nkp4G B4Cfca8LlHnkS0zsnfr9Ea8gXxvdOoAmJb3GSlcxKSAHBswVeUuP1smR5+SkETpQ dQ5NR3wuNMe3mhdDIumuAUYMs6g45eRgSMCR79pj4DA7/UycwJIb4FO8f8ZYu1kc UrwouyDOMisOdpEeTzdBxPfFOG2qbBz8r51ZMeeO0ttF0Zgacp4P1jVuQAmSQ74L k/CV1BuyyQaNor0h6lI9GahygGwo16pmZiW37Lfl7y2B2PV/IQkrBrjEVTsR3YqE 3hVK/ggP4iO/JQ6OK0kBH3lIQffqETZhoutI+2IIYW6KWHaT++LrfwABpTmg1NuZ qS2EHHRakiIcdxwFMuz/AczI+1G7WtledW2o2gMhjGNgfEmnza+Cr/F9mRI4j/mx cz0E2KxjRNXqYoy0rYJKVEqz34hvz28yYRZLMu1zht2UzTsWWqA= =pHfV -END PGP SIGNATURE-
Accepted python-crypto 2.6-4+deb7u8 (source i386 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 09 Feb 2018 16:41:36 +1100 Source: python-crypto Binary: python-crypto python-crypto-dbg python3-crypto python3-crypto-dbg python-crypto-doc Architecture: source i386 all Version: 2.6-4+deb7u8 Distribution: wheezy-security Urgency: high Maintainer: Sebastian RamacherChanged-By: Brian May Description: python-crypto - cryptographic algorithms and protocols for Python python-crypto-dbg - cryptographic algorithms and protocols for Python (debug extensio python-crypto-doc - cryptographic algorithms and protocols for Python (documentation) python3-crypto - cryptographic algorithms and protocols for Python 3 python3-crypto-dbg - cryptographic algorithms and protocols for Python 3 (debug extens Changes: python-crypto (2.6-4+deb7u8) wheezy-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2018-6594: fix generating weak ElGamal key parameters, which allowed attackers to obtain sensitive information by reading ciphertext data. Checksums-Sha1: 6defd19a0df3b8e3a7cd71c8f991366d03191f81 2399 python-crypto_2.6-4+deb7u8.dsc c17e41a80b3fbf2ee4e8f2d8bb9e28c5d08bbb84 443445 python-crypto_2.6.orig.tar.gz cde038ef309510856be061695450bc7e5fb31d35 18050 python-crypto_2.6-4+deb7u8.debian.tar.gz 3ff3f3c47fdee76491705046e76957ba221508ca 521662 python-crypto_2.6-4+deb7u8_i386.deb aeaf743d300a28ea71434c736d6f62a8662db847 1357218 python-crypto-dbg_2.6-4+deb7u8_i386.deb 2ee9fc40880ffe55939396a9022513cec93bf193 392246 python3-crypto_2.6-4+deb7u8_i386.deb 08e513fa99192f010d1c30f63fe788ce6265fc01 691888 python3-crypto-dbg_2.6-4+deb7u8_i386.deb 2f37833581eeed1b15db8edafda86839372d99df 158078 python-crypto-doc_2.6-4+deb7u8_all.deb Checksums-Sha256: 2c1d4bf90d3d51e47327343af0dfb0117b12aeacd8f3663f499a8c3edd4af055 2399 python-crypto_2.6-4+deb7u8.dsc 7293c9d7e8af2e44a82f86eb9c3b058880f4bcc884bf3ad6c8a34b64986edde8 443445 python-crypto_2.6.orig.tar.gz ab121d9a7a2ef94eaa870b059f70b689687c3eb399eb418f24c5523ebcc9bfc0 18050 python-crypto_2.6-4+deb7u8.debian.tar.gz 24409358c2e45a54ab561adc89bda3918865b1756e6aae8ffcd8a38d7c86e370 521662 python-crypto_2.6-4+deb7u8_i386.deb 66c044db2c72045cee01214614e48f8fc874b4e5c2ace8b8b53e34b829dfef86 1357218 python-crypto-dbg_2.6-4+deb7u8_i386.deb c48c5c0d8728f5ffd220b6168543d842b47fcc1c0f46770e5982b97058b0ad1e 392246 python3-crypto_2.6-4+deb7u8_i386.deb 3c4b76d699bd29aa856838f6ef28999bca0997c32ef327e4647c69033271db51 691888 python3-crypto-dbg_2.6-4+deb7u8_i386.deb dfc5b5c168d0b5ecefd9f7b858f9d12f124833e836fc7d133720b4024298ade1 158078 python-crypto-doc_2.6-4+deb7u8_all.deb Files: 2064ca904f58f98e5f3e192c0c592842 2399 python optional python-crypto_2.6-4+deb7u8.dsc 88dad0a270d1fe83a39e0467a66a22bb 443445 python optional python-crypto_2.6.orig.tar.gz 892f5e5d13798bdeaee6cb910d907fc5 18050 python optional python-crypto_2.6-4+deb7u8.debian.tar.gz 9a30ec51bd53bd9e89e3ab469181a013 521662 python optional python-crypto_2.6-4+deb7u8_i386.deb a20c47acb3fe62444aea52cf06f237f4 1357218 debug extra python-crypto-dbg_2.6-4+deb7u8_i386.deb 690f32ecddaab9b59e03e600949c9d59 392246 python optional python3-crypto_2.6-4+deb7u8_i386.deb da62a49f633f469b4e2425097c2ab755 691888 debug extra python3-crypto-dbg_2.6-4+deb7u8_i386.deb 1ce14ce95881a4cf65668e5e86c13fda 158078 doc optional python-crypto-doc_2.6-4+deb7u8_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE1jZRJqkttWDGJ6ztF4RXf4EfbqwFAlqFNGAACgkQF4RXf4Ef bqyMHA/+MhMZ+sSE5KxPCQ9nKm/XEoFG8maMJ5LTzVc/R/pPtESEvHu0O1e22UCy 0tQP+dBOW03Z+7ZwzRSriWy9l0pb5pu9LU2Mn+2ibvNpIBEvVknlOdPkoX5dj0F9 OIBcjln92SUBweHwpdrknoi7o3v38Cc7frE4LrPL5ZVTzH1gpjzc7emXXwTlefMw pMNeB6EXn1kXOkN277ReYOHoiZUhscdlq5CxY8NYXsylzIlrEXjKhYa4O+f1EnoZ YejgoRkQtK2V+Zp/RYYoVR2bIJxVTUPGXAlq02KQbNQolNdDTHKVII2rgrKq0n+h Cs+NcmtdOOPPrq129R+OToy/f9cgYTuNZHBFmB+vraj89WEIufw2cqex47eyRtZd lxqY0UuQFEDuQzTsD2hEyy+IaauPK82MmtbqUr1J9sIapRrPZ+IDWrSbNH9vc2Qh ocL27V4Sg2a/bkhjrW1V5qpbsVLEoxPyTewNgVXkJFKF304W86GN0qoraInlqLTe V7iFW74363XhezbGRrADX35P33LCLE7t6EHrO+r5Lrv+GofCFyQ2EjfwC1J8Cpi6 PX2wcoqGCXfx8fBREn757i2UJgsHI1mL1glVZKIdqJEGYiZqMDB8jfTWYlbVVIV9 WVup16O6QYC0bvZnW3pHX6c0VeqkZaonbQFEQJM32zSnUsucaQo= =lDk/ -END PGP SIGNATURE-
Accepted leptonlib 1.69-3.1+deb7u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Feb 2018 23:36:39 +0530 Source: leptonlib Binary: libleptonica-dev liblept3 leptonica-progs Architecture: source amd64 Version: 1.69-3.1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Jeff BreidenbachChanged-By: Abhijith PA Description: leptonica-progs - sample programs for Leptonica image processing library liblept3 - image processing library libleptonica-dev - image processing library Closes: 889759 Changes: leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability (closes: #889759) Checksums-Sha1: f613b10c9fc4cf44df14ad9e5e227f5850813690 1886 leptonlib_1.69-3.1+deb7u1.dsc 71526247b299bcc4abf691bc6766504abeec 7273945 leptonlib_1.69.orig.tar.gz e9561ca5d53ca4104f48cc86b25a8d7353d69d62 7282 leptonlib_1.69-3.1+deb7u1.debian.tar.gz 3d32d6d49617a6b57454c5af4c8fa5628716c90e 1277690 libleptonica-dev_1.69-3.1+deb7u1_amd64.deb 19cd01035fe49909a34f6ce33fcd0589b7721ff3 772016 liblept3_1.69-3.1+deb7u1_amd64.deb 80aaa9092d109bd3e7379ae7ce93ccdd6fa0d62d 215226 leptonica-progs_1.69-3.1+deb7u1_amd64.deb Checksums-Sha256: 5f2e5254bc8ef014ed3889567a3d55948c863a388dc62a5943de00569209a5d7 1886 leptonlib_1.69-3.1+deb7u1.dsc 08c6fa5d0920b2ae83f1d0f257f8d08783ab88bcf263136cb7a62635e60128f0 7273945 leptonlib_1.69.orig.tar.gz e4f105fdf5160e9e00ee2af9018296a51d526d953db98443f6bee9e4f515c13a 7282 leptonlib_1.69-3.1+deb7u1.debian.tar.gz cd09ceff66f9f03e32db82563a5006ea2a9c6388659df16aec4984e2030e6027 1277690 libleptonica-dev_1.69-3.1+deb7u1_amd64.deb 984dc72a6dd9c9d48bd5b58518fca055616afb8de02187c1dacb523b8d717ca1 772016 liblept3_1.69-3.1+deb7u1_amd64.deb b1bfda7ede3d55d15d37e509fbb7191cb75c85584102fe2031d9870c51f0885f 215226 leptonica-progs_1.69-3.1+deb7u1_amd64.deb Files: 22d8ea33c00d866c40a525d04ef3be85 1886 graphics optional leptonlib_1.69-3.1+deb7u1.dsc 7d95bb4892188ee7fa8aeebb7174d1ae 7273945 graphics optional leptonlib_1.69.orig.tar.gz c38914e9c18a0fdd18f89e821938339d 7282 graphics optional leptonlib_1.69-3.1+deb7u1.debian.tar.gz 99058ffd70a7d9a94b1612137b4f6a09 1277690 libdevel optional libleptonica-dev_1.69-3.1+deb7u1_amd64.deb 98cf1291b6bf2a82efb4b20d352934e2 772016 libs optional liblept3_1.69-3.1+deb7u1_amd64.deb b51b5b6b2617da59547882fcb0fa5b9d 215226 graphics optional leptonica-progs_1.69-3.1+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAlqE/FEACgkQLNd4Xt2n sg8oahAAi/SKcyANxph4VOy3kWDhKvh/MlbllRq/ioNMHgKOkT1tgIaqt1ldFKsC LIlx+j/6CC57UxY0MbnAjoBbwMO8S3hS+LfX0fMjQG5i/nm3+fhhWm2Af117vt5f yBmHLnafRYLwy0sApkLeoMmp/YVcLo553jgZlKbE1Mot6ciNhKpQAXCqAlpfSyxk hqSdWtLDJ+sDLRT8mSDceLIiO/mI0NGkwkY9MgIgWKs0BZ6K626nyOwzJ/0Z7fKn T8OyKzeufBbtkeQhNyYTYiNHZqyqgmdSf1RZX0yMUbE2fz3RQyy9OKohZn252JGU 2oAY/DiNvs8mrp9gzuns7o3tBQCDry4AGYOSzG9ylS0iKCqUxQAV6sjmLmaue335 venW5kA0zoGcE/HWzLfYKWIa0zX7osInyk/wXYF43fDvfsOTqTeC0HY+qsyCQblM Oe7stxPzLC+sb4ptwKpH7m+pp7f+JBNwB7JCoFNSS3BvQuIIltn5v64CUFwsVIKg 6GCnDkwHMBPzqJRKIuszE4G4srN9nKE0RQ1i6rNmLOeCSBWhkRAER5PglERxYt1J NxUfOTUbxcnYK8ofQe50xEj1awYy91EHi7iWPMtQRT4d84CC1mym21WQHSqpa118 hlPibBXGzs8U0otw44Xuzck232Fb3RXmKG1xXCPYCiHgCBDeFXA= =cByK -END PGP SIGNATURE-
Re: upload leptonlib
On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote: > Hello. > > I prepared LTS security update for leptonlib. Please review and upload. > You can find debdiff along with the mail. > link: > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc > Abhijith, I have reviewed and uploaded the package. While you backported the upstream fix, I feel like their approach falls under item #2 of "The Six Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot help but wonder if another vulnerability will be uncovered later that uses different characters that are not being checked. In any event, once you receive the ACCEPT notice from the archive software you should be able to publish the DLA. Regards, -Roberto -- Roberto C. Sánchez
upload leptonlib
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. I prepared LTS security update for leptonlib. Please review and upload. You can find debdiff along with the mail. link: https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc I done following tests. - - Installed new build in a wheezy machine - - Tested against POC from https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 - - Ran all regression tests provided in prog/alltests_reg.c - - Ran prog/comparetest.c as it is one of the program which uses `gplot` -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqEAJ4ACgkQhj1N8u2c KO8uBQ//WE7DHX6XPpvmASeAI0clLUBw2zzVn8xM6w2uAqCWKtXeS0wqsDgy4urj JS9ggebmHC+aeY8EqM18Cla/TIFXnSCXCOT5hG4fK68aD2FnZ1TZwtSP5GtxYhVN YD3D3FR9astbhLEReLytLxSwXCbGeaDNI7mSi5rnN5eoFdMVhG2ZaVBvzmcE5kSt 9BBKQqgLJ2MzkPQxi9JiwrL8au1WO3A3t8HtOZKf80UcBECiMOqkjmVEiW2/hA0n bGDb8J5f/QC+6UYIiIkEb2o2CMuEmplOm6G43vm+XZjqWP6XpfFFnHHhKnHDeQrQ Z9IRJ4RnFI2B5+l3vwC6WS6e/j+PsuE3sk1MBLlAGLAF69cspSOBxV4MvBQQFvCB 5YHW02Q/VKvejneSOsm/IIrZCau4JGC9uHCzSLRTa3tMg6HZd6CkI/B4l+IFg1Eo y61hb0sVJT5vgA5eNxv5G+B8fqNQTHNc0kmsef1OyReOA8dEkG1Q2OCayFcW6iQW JOUzHOP3R8pFiF8eLToxrY32KPsYh5S3KIgD4sNbjw5J23sEKY1Dn1uXgnLNL7BG hpJoTdwProANQWBW2iY5cxYyTqP3PSk6fYWx5VPAWNDOg0PnMxO4hCed6mrg0hvH XA1PeoxFEREvCyChxWDZL4Yg9ggB5Evba/qIwcTpNPC0Ma7KS9Q= =fUrC -END PGP SIGNATURE- diff -Nru leptonlib-1.69/debian/changelog leptonlib-1.69/debian/changelog --- leptonlib-1.69/debian/changelog 2012-07-19 21:39:52.0 + +++ leptonlib-1.69/debian/changelog 2018-02-13 18:06:39.0 + @@ -1,3 +1,11 @@ +leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability +(closes: #889759) + + -- Abhijith PATue, 13 Feb 2018 23:36:39 +0530 + leptonlib (1.69-3.1) unstable; urgency=medium * Non-maintainer upload diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch leptonlib-1.69/debian/patches/CVE-2018-3836.patch --- leptonlib-1.69/debian/patches/CVE-2018-3836.patch 1970-01-01 00:00:00.0 + +++ leptonlib-1.69/debian/patches/CVE-2018-3836.patch 2018-02-13 18:06:39.0 + @@ -0,0 +1,125 @@ +Description: Fix CVE-2018-3836.patch + An exploitable command injection vulnerability exists in the gplotMakeOutput + function of Leptonica. A specially crafted gplot rootname argument can cause a + command injection resulting in arbitrary code execution. + An attacker can provide a malicious path as input to an application that passes + attacker data to this function to trigger this vulnerability. Patch backported from + upstream. + +Author: Abhijith PA +Origin: https://build.opensuse.org/package/view_file/home:kbabioch:branches:openSUSE:Leap:42.3:Update/leptonica/CVE-2018-3836.patch +Bug: https://github.com/DanBloomberg/leptonica/issues/303 +Bug-Debian: https://bugs.debian.org/889759 +Last-Update: 2018-02-13 + +Index: leptonlib-1.69/src/gplot.c +=== +--- leptonlib-1.69.orig/src/gplot.c leptonlib-1.69/src/gplot.c +@@ -129,9 +129,10 @@ gplotCreate(const char *rootname, + const char *xlabel, + const char *ylabel) + { +-char *newroot; +-charbuf[L_BUF_SIZE]; +-GPLOT *gplot; ++char*newroot; ++char buf[L_BUF_SIZE]; ++l_int32 badchar; ++GPLOT *gplot; + + PROCNAME("gplotCreate"); + +@@ -141,6 +142,9 @@ GPLOT *gplot; + outformat != GPLOT_EPS && outformat != GPLOT_X11 && + outformat != GPLOT_LATEX) + return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL); ++stringCheckForChars(rootname, "`;&|><\"?*", ); ++if (badchar) /* danger of command injection */ ++return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL); + + if ((gplot = (GPLOT *)CALLOC(1, sizeof(GPLOT))) == NULL) + return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL); +@@ -360,18 +364,10 @@ l_int32 ignore; + gplotGenDataFiles(gplot); + + #ifndef _WIN32 +-if (gplot->outformat != GPLOT_X11) +-snprintf(buf, L_BUF_SIZE, "gnuplot %s &", gplot->cmdname); +-else +-snprintf(buf, L_BUF_SIZE, +- "gnuplot -persist -geometry +10+10 %s &", gplot->cmdname); ++snprintf(buf, L_BUF_SIZE, "gnuplot -persist %s", gplot->cmdname); + #else +- if (gplot->outformat != GPLOT_X11) +- snprintf(buf, L_BUF_SIZE, "wgnuplot %s", gplot->cmdname); +- else +- snprintf(buf, L_BUF_SIZE, +- "wgnuplot -persist %s", gplot->cmdname); +-#endif /* _WIN32 */ ++snprintf(buf, L_BUF_SIZE, "wgnuplot -persist %s", gplot->cmdname); ++#endif /* _WIN32 */ + ignore = system(buf); + return 0; + } +Index: leptonlib-1.69/src/utils.c +=== +---