Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:php-phpseclib3
Hi, Please allow to fix CVE-2023-49316 (#1057008) in the next point release. I assume from the bug report wording that it isn’t worth a DSA (security team X-Debbugs-Cced in case I misunderstood). The changelog refers to a trivial change (gbp.conf and control) for the build process, and the three line upstream patch (+comments +test) to fix the issue. * Track bookworm * Math/BinaryField: fix for excessively large degrees [CVE-2023-49316] (Closes: #1057008) It passes its (updated) testsuite, but I didn’t have time to test this update thoroughly. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Thanks in advance for your consideration. Regards, taffit
diff -Nru php-phpseclib3-3.0.19/debian/changelog php-phpseclib3-3.0.19/debian/changelog --- php-phpseclib3-3.0.19/debian/changelog 2023-03-06 08:00:12.000000000 +0100 +++ php-phpseclib3-3.0.19/debian/changelog 2023-11-28 08:33:28.000000000 +0100 @@ -1,3 +1,11 @@ +php-phpseclib3 (3.0.19-1+deb12u1) bookworm; urgency=medium + + * Track bookworm + * Math/BinaryField: fix for excessively large degrees [CVE-2023-49316] + (Closes: #1057008) + + -- David Prévot <taf...@debian.org> Tue, 28 Nov 2023 08:33:28 +0100 + php-phpseclib3 (3.0.19-1) unstable; urgency=medium [ Alexander Vlasov ] diff -Nru php-phpseclib3-3.0.19/debian/control php-phpseclib3-3.0.19/debian/control --- php-phpseclib3-3.0.19/debian/control 2023-03-06 08:00:12.000000000 +0100 +++ php-phpseclib3-3.0.19/debian/control 2023-11-28 08:32:24.000000000 +0100 @@ -13,7 +13,7 @@ pkg-php-tools (>= 1.41~) Standards-Version: 4.6.2 Homepage: https://phpseclib.sourceforge.net/ -Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/latest +Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/bookworm Vcs-Browser: https://salsa.debian.org/php-team/pear/phpseclib Rules-Requires-Root: no diff -Nru php-phpseclib3-3.0.19/debian/gbp.conf php-phpseclib3-3.0.19/debian/gbp.conf --- php-phpseclib3-3.0.19/debian/gbp.conf 2023-03-06 07:51:57.000000000 +0100 +++ php-phpseclib3-3.0.19/debian/gbp.conf 2023-11-28 08:32:24.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm pristine-tar = True filter = [ '.gitattributes' ] upstream-vcs-tag = %(version%~%-)s diff -Nru php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch --- php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch 2023-11-28 08:32:28.000000000 +0100 @@ -0,0 +1,56 @@ +From: terrafrost <terrafr...@php.net> +Date: Tue, 21 Nov 2023 19:10:46 -0600 +Subject: Math/BinaryField: fix for excessively large degrees + +Origin: backport, https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f +Bug-Debian: https://bugs.debian.org/1057008 +--- + phpseclib/Math/BinaryField.php | 9 +++++++++ + tests/Unit/Crypt/EC/KeyTest.php | 16 ++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/phpseclib/Math/BinaryField.php b/phpseclib/Math/BinaryField.php +index 3e21a67..5da8c93 100644 +--- a/phpseclib/Math/BinaryField.php ++++ b/phpseclib/Math/BinaryField.php +@@ -48,6 +48,15 @@ class BinaryField extends FiniteField + public function __construct(...$indices) + { + $m = array_shift($indices); ++ if ($m > 571) { ++ /* sect571r1 and sect571k1 are the largest binary curves that https://www.secg.org/sec2-v2.pdf defines ++ altho theoretically there may be legit reasons to use binary finite fields with larger degrees ++ imposing a limit on the maximum size is both reasonable and precedented. in particular, ++ http://tools.ietf.org/html/rfc4253#section-6.1 (The Secure Shell (SSH) Transport Layer Protocol) says ++ "implementations SHOULD check that the packet length is reasonable in order for the implementation to ++ avoid denial of service and/or buffer overflow attacks" */ ++ throw new \OutOfBoundsException('Degrees larger than 571 are not supported'); ++ } + $val = str_repeat('0', $m) . '1'; + foreach ($indices as $index) { + $val[$index] = '1'; +diff --git a/tests/Unit/Crypt/EC/KeyTest.php b/tests/Unit/Crypt/EC/KeyTest.php +index f0069a3..f423845 100644 +--- a/tests/Unit/Crypt/EC/KeyTest.php ++++ b/tests/Unit/Crypt/EC/KeyTest.php +@@ -690,4 +690,20 @@ cN6W+k8UvGf+Y/lDWNbFitQocabsDUvSN0edHH3UKP5QPTz4cOlyIPMrXQ== + $key = PublicKeyLoader::load($key); + $this->assertInstanceOf(PublicKey::class, $key); + } ++ ++ public function testExcessivelyLargeBinaryField() ++ { ++ $this->expectException('\OutOfBoundsException'); ++ ++ $key = '-----BEGIN PUBLIC KEY----- ++MIIBDDCB0wYHKoZIzj0CATCBxwIBATAgBgcqhkjOPQECMBUCBH////8GCSqGSM49 ++AQIDAgICAMEwTQQZABeFj+t6mJdRaeFx93tAh94JisipEd97AQQZAP37Sb/mw6if ++rK2qeh5bvHzBwuXYMUeIFAMVABA/rsdNaW5naHVhUXV3f8Wxke8wBDMEAfSBvF8P +++Ep0rWzfb970v2F5YlNy2MDF4QAl45nykDcSzPPqnjoa0X+wsyAbavfOGwUCGQEA ++AAAAAAAAAAAAAADH80p3j0Q6zJIOukkCAQIDNAAEAE2mUTAwdPK952h3G8ZinK8B ++z9DYTLdGkQDqox3AtEs9nn6kE1O/vHE4bqMegjj4gbA= ++-----END PUBLIC KEY-----'; ++ $key = EC::loadFormat('PKCS8', $key); ++ $this->assertInstanceOf(PublicKey::class, $key); ++ } + } diff -Nru php-phpseclib3-3.0.19/debian/patches/series php-phpseclib3-3.0.19/debian/patches/series --- php-phpseclib3-3.0.19/debian/patches/series 2023-03-06 08:00:12.000000000 +0100 +++ php-phpseclib3-3.0.19/debian/patches/series 2023-11-28 08:32:28.000000000 +0100 @@ -4,3 +4,4 @@ 0004-Skip-test-failing-on-32-bit-architectures.patch 0005-Skip-test-failing-on-s390x-architecture.patch 0006-Drop-PHPUnit-10-Updates.patch +0007-Math-BinaryField-fix-for-excessively-large-degrees.patch
signature.asc
Description: PGP signature