Dear maintainer of beaker, I've prepared an NMU for beaker (versioned as 1.6.3-1.1) uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer.
I've also prepared a package for squeeze-security [0] and will follow up
via RT.
0: http://people.debian.org/~taffit/beaker/
Regards
David
diffstat for beaker-1.6.3 beaker-1.6.3 changelog | 9 +++++++++ patches/fix_CVE-2012-3458.patch | 36 ++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 46 insertions(+) diff -Nru beaker-1.6.3/debian/changelog beaker-1.6.3/debian/changelog --- beaker-1.6.3/debian/changelog 2012-05-06 16:46:36.000000000 -0400 +++ beaker-1.6.3/debian/changelog 2012-08-24 13:54:40.000000000 -0400 @@ -1,3 +1,12 @@ +beaker (1.6.3-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix security issue, with PyCrypto not securing data such that an attacker + could possibly determine parts of the encrypted payload. Patch by Miloslav + Trmac of Redhat. [CVE-2012-3458] Closes: #684890 + + -- David Prévot <taf...@debian.org> Fri, 24 Aug 2012 13:54:13 -0400 + beaker (1.6.3-1) unstable; urgency=low [ Andrey Rahmatullin ] diff -Nru beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch --- beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 1969-12-31 20:00:00.000000000 -0400 +++ beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 2012-08-24 14:04:48.000000000 -0400 @@ -0,0 +1,36 @@ +From: Ben Bangert <b...@groovie.org> +Subject : Fix security issue CVE-2012-3458 + + Fix security issue, with PyCrypto not securing data such that an attacker + could possibly determine parts of the encrypted payload. Patch by Miloslav + Trmac of Redhat. [CVE-2012-3458] + +Origin: upstream, https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5 +Bug-Debian: http://bugs.debian.org/684890 + +--- beaker-1.6.3.orig/beaker/crypto/pycrypto.py ++++ beaker-1.6.3/beaker/crypto/pycrypto.py +@@ -15,17 +15,18 @@ try: + + except ImportError: + from Crypto.Cipher import AES ++ from Crypto.Util import Counter + + def aesEncrypt(data, key): +- cipher = AES.new(key) ++ cipher = AES.new(key, AES.MODE_CTR, ++ counter=Counter.new(128, initial_value=0)) + +- data = data + (" " * (16 - (len(data) % 16))) + return cipher.encrypt(data) + + def aesDecrypt(data, key): +- cipher = AES.new(key) +- +- return cipher.decrypt(data).rstrip() ++ cipher = AES.new(key, AES.MODE_CTR, ++ counter=Counter.new(128, initial_value=0)) ++ return cipher.decrypt(data) + + def getKeyLength(): + return 32 diff -Nru beaker-1.6.3/debian/patches/series beaker-1.6.3/debian/patches/series --- beaker-1.6.3/debian/patches/series 1969-12-31 20:00:00.000000000 -0400 +++ beaker-1.6.3/debian/patches/series 2012-08-24 13:59:45.000000000 -0400 @@ -0,0 +1 @@ +fix_CVE-2012-3458.patch
signature.asc
Description: OpenPGP digital signature
