Your message dated Sun, 26 Aug 2012 23:17:02 +0100
with message-id <90cb264e6fc1d197f146292e063bb...@mail.adsl.funky-badger.org>
and subject line Re: Bug#685944: unblock: beaker/1.6.3-1.1
has caused the Debian Bug report #685944,
regarding unblock: beaker/1.6.3-1.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
685944: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685944
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package beaker
It fixes a security issue ([CVE-2012-3458] #684890). I didn't touch the
urgency since we're in freeze and let it to your appreciation.
unblock beaker/1.6.3-1.1
Thanks in advance.
Regards
David
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diffstat for beaker-1.6.3 beaker-1.6.3
changelog | 9 +++++++++
patches/fix_CVE-2012-3458.patch | 36 ++++++++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 46 insertions(+)
diff -Nru beaker-1.6.3/debian/changelog beaker-1.6.3/debian/changelog
--- beaker-1.6.3/debian/changelog 2012-05-06 16:46:36.000000000 -0400
+++ beaker-1.6.3/debian/changelog 2012-08-24 13:54:40.000000000 -0400
@@ -1,3 +1,12 @@
+beaker (1.6.3-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix security issue, with PyCrypto not securing data such that an attacker
+ could possibly determine parts of the encrypted payload. Patch by Miloslav
+ Trmac of Redhat. [CVE-2012-3458] Closes: #684890
+
+ -- David Prévot <taf...@debian.org> Fri, 24 Aug 2012 13:54:13 -0400
+
beaker (1.6.3-1) unstable; urgency=low
[ Andrey Rahmatullin ]
diff -Nru beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch
--- beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 2012-08-24 14:04:48.000000000 -0400
@@ -0,0 +1,36 @@
+From: Ben Bangert <b...@groovie.org>
+Subject : Fix security issue CVE-2012-3458
+
+ Fix security issue, with PyCrypto not securing data such that an attacker
+ could possibly determine parts of the encrypted payload. Patch by Miloslav
+ Trmac of Redhat. [CVE-2012-3458]
+
+Origin: upstream, https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5
+Bug-Debian: http://bugs.debian.org/684890
+
+--- beaker-1.6.3.orig/beaker/crypto/pycrypto.py
++++ beaker-1.6.3/beaker/crypto/pycrypto.py
+@@ -15,17 +15,18 @@ try:
+
+ except ImportError:
+ from Crypto.Cipher import AES
++ from Crypto.Util import Counter
+
+ def aesEncrypt(data, key):
+- cipher = AES.new(key)
++ cipher = AES.new(key, AES.MODE_CTR,
++ counter=Counter.new(128, initial_value=0))
+
+- data = data + (" " * (16 - (len(data) % 16)))
+ return cipher.encrypt(data)
+
+ def aesDecrypt(data, key):
+- cipher = AES.new(key)
+-
+- return cipher.decrypt(data).rstrip()
++ cipher = AES.new(key, AES.MODE_CTR,
++ counter=Counter.new(128, initial_value=0))
++ return cipher.decrypt(data)
+
+ def getKeyLength():
+ return 32
diff -Nru beaker-1.6.3/debian/patches/series beaker-1.6.3/debian/patches/series
--- beaker-1.6.3/debian/patches/series 1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/series 2012-08-24 13:59:45.000000000 -0400
@@ -0,0 +1 @@
+fix_CVE-2012-3458.patch
--- End Message ---
--- Begin Message ---
On 26.08.2012 22:33, David Prévot wrote:
Please unblock package beaker
It fixes a security issue ([CVE-2012-3458] #684890). I didn't touch
the
urgency since we're in freeze and let it to your appreciation.
Unblocked; thanks.
Regards,
Adam
--- End Message ---