Your message dated Sat, 29 Jun 2024 10:47:46 +0000
with message-id <e1snvcq-002bqp...@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1065268,
regarding bullseye-pu: package phpseclib/1.0.19-3+deb11u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1065268: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065268
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
This issue is simalar to #1065264 for bookworm
I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit
diff -Nru phpseclib-1.0.19/debian/autoload.php.tpl phpseclib-1.0.19/debian/autoload.php.tpl
--- phpseclib-1.0.19/debian/autoload.php.tpl 2023-12-31 15:43:05.000000000 +0100
+++ phpseclib-1.0.19/debian/autoload.php.tpl 2024-02-27 21:27:58.000000000 +0100
@@ -1,7 +1,7 @@
<?php
-require_once 'phpseclib.bootstrap.php';
-require_once 'Crypt/Random.php';
+require_once __DIR__.'/phpseclib.bootstrap.php';
+require_once __DIR__.'/Crypt/Random.php';
// @codingStandardsIgnoreFile
// @codeCoverageIgnoreStart
diff -Nru phpseclib-1.0.19/debian/changelog phpseclib-1.0.19/debian/changelog
--- phpseclib-1.0.19/debian/changelog 2023-12-31 15:59:59.000000000 +0100
+++ phpseclib-1.0.19/debian/changelog 2024-02-27 21:27:58.000000000 +0100
@@ -1,3 +1,13 @@
+phpseclib (1.0.19-3+deb11u2) bullseye; urgency=medium
+
+ * Backport upstream fixes
+ - BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+ - ASN1: limit OID length [CVE-2024-27355]
+ - BigInteger: fix getLength()
+ * Force system dependencies loading
+
+ -- David Prévot <taf...@debian.org> Tue, 27 Feb 2024 21:27:58 +0100
+
phpseclib (1.0.19-3+deb11u1) bullseye-security; urgency=medium
* Track bullseye
diff -Nru phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 21:27:58.000000000 +0100
@@ -0,0 +1,76 @@
+From: terrafrost <terrafr...@gmail.com>
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 35df7ad..1dd4729 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+ return $result;
+ }
+
++ /**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++ function getLength()
++ {
++ if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++ return strlen($this->toBits());
++ }
++
++ $max = count($this->value) - 1;
++ return $max != -1 ?
++ $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++ 0;
++ }
++
++ /**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++ function getLengthInBytes()
++ {
++ return ceil($this->getLength() / 8);
++ }
++
+ /**
+ * Copy an object
+ *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+ $min = $temp;
+ }
+
++ $length = $max->getLength();
++ if ($length > 8196) {
++ user_error('Generation of random prime numbers larger than 8196 has been disabled');
++ }
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+ */
+ function isPrime($t = false)
+ {
+- $length = strlen($this->toBytes());
++ $length = $this->getLength();
++ // OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++ // produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++ // a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++ // that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++ if ($length > 8196) {
++ user_error('Primality testing is not supported for numbers larger than 8196 bits');
++ }
+
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/q2874tUZtM/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch et /tmp/8dbXhTc93J/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch
--- phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch 2024-02-27 21:27:58.000000000 +0100
@@ -0,0 +1,31 @@
+From: terrafrost <terrafr...@gmail.com>
+Date: Sat, 24 Feb 2024 14:15:49 -0600
+Subject: BigInteger: fix getLength()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/c55b75199ec8d12cec6eadf6da99da4a3712fe56
+---
+ phpseclib/Math/BigInteger.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 1dd4729..6a981ab 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -759,7 +759,7 @@ class Math_BigInteger
+
+ $max = count($this->value) - 1;
+ return $max != -1 ?
+- $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++ $max * MATH_BIGINTEGER_BASE + intval(ceil(log($this->value[$max] + 1, 2))) :
+ 0;
+ }
+
+@@ -770,7 +770,7 @@ class Math_BigInteger
+ */
+ function getLengthInBytes()
+ {
+- return ceil($this->getLength() / 8);
++ return (int) ceil($this->getLength() / 8);
+ }
+
+ /**
diff -Nru phpseclib-1.0.19/debian/patches/series phpseclib-1.0.19/debian/patches/series
--- phpseclib-1.0.19/debian/patches/series 2023-12-31 15:59:59.000000000 +0100
+++ phpseclib-1.0.19/debian/patches/series 2024-02-27 21:27:58.000000000 +0100
@@ -26,3 +26,6 @@
0026-SSH2-add-support-for-RFC8308.patch
0027-SSH2-implement-terrapin-attack-countermeasures.patch
0028-phpcbf-run.patch
+0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
+0030-ASN1-limit-OID-length.patch
+0031-BigInteger-fix-getLength.patch
diff -Nru phpseclib-1.0.19/debian/source/include-binaries phpseclib-1.0.19/debian/source/include-binaries
--- phpseclib-1.0.19/debian/source/include-binaries 1970-01-01 01:00:00.000000000 +0100
+++ phpseclib-1.0.19/debian/source/include-binaries 2024-02-27 21:27:58.000000000 +0100
@@ -0,0 +1 @@
+debian/patches/0030-ASN1-limit-OID-length.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 11.10
The upload requested in this bug has been released as part of 11.10.
--- End Message ---
