Processed: Re: Bug#700758: bcrypt: Bcrypt exposes patterns in data, it is broken
Processing commands for cont...@bugs.debian.org: > reassign 740748 bcrypt Bug #740748 [ftp.debian.org] RM: bcrypt -- RoQA; insecure Bug reassigned from package 'ftp.debian.org' to 'bcrypt'. Ignoring request to alter found versions of bug #740748 to the same values previously set Ignoring request to alter fixed versions of bug #740748 to the same values previously set > forcemerge 700758 740748 Bug #700758 {Done: Agustin Martin Domingo } [bcrypt] bcrypt: Bcrypt exposes patterns in data, it is broken Bug #740748 [bcrypt] RM: bcrypt -- RoQA; insecure Severity set to 'grave' from 'normal' Marked Bug as done Marked as fixed in versions bcrypt/1.1-8.1. Marked as found in versions bcrypt/1.1-8. Merged 700758 740748 > thanks Stopping processing here. Please contact me if you need assistance. -- 700758: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700758 740748: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740748 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#700758: bcrypt: Bcrypt exposes patterns in data, it is broken
reassign 740748 bcrypt forcemerge 700758 740748 thanks On Thu, May 08, 2014 at 12:33:23PM +0200, Agustin Martin wrote: > I plan to upload encription-disabled bcrypt package closing #700758, wait for > it to reach testing in case any problem appear and then reassign #740748 to > bcrypt and forcemerge it with #700758. forcemerging as announced. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#700758: bcrypt: Bcrypt exposes patterns in data, it is broken
On Wed, Apr 09, 2014 at 01:09:40PM +0200, Agustin Martin wrote: > On Mon, Apr 07, 2014 at 12:38:16PM +0200, Agustin Martin wrote: > > If something Debian-only is to be done with this package to keep it > > available, it could be disabling encryption, together with a descriptive > > error message. This would be a minimal intervention and have the advantages > > of (1) and (2). > > > > This should be documented in the package description and would allow users > > to decrypt already encrypted data (you never know where that may appear), > > but not to encrypt. > > > > What maintainer thinks about this? > > > > Note that this package has been proposed for removal (See cc'ed > > http://bugs.debian.org/740748), so if any action is intended to keep this > > package in the archive it should happen soon. > > Although my C skills are not good I played a bit with this. > > I'd expected attached patch to handle the encryption disabling. Since I heard nothing from maintainer I plan a 0-day NMU with attached patch. I noticed that I still have some stuff encrypted with bcrypt and would not like to prepare a personal package just to deal with those not yet found. ftpmasters, what should I do regarding removal bug #740748? I plan to upload encription-disabled bcrypt package closing #700758, wait for it to reach testing in case any problem appear and then reassign #740748 to bcrypt and forcemerge it with #700758. Do you prefer both bug reports being closed on upload? -- Agustin >From 4de49e57ba2cf5261951841ac68c44b55cfabef1 Mon Sep 17 00:00:00 2001 From: Agustin Martin Domingo Date: Tue, 8 Apr 2014 18:56:40 +0200 Subject: [PATCH] Disable encryption support. See http://bugs.debian.org/700758 [Bcrypt exposes patterns in data, it is broken] --- debian/changelog | 8 + debian/control | 4 ++- debian/patches/00list | 1 + .../patches/04_main.c_abort-on-encryption.dpatch | 39 ++ debian/patches/05_big_files.dpatch | 0 5 files changed, 51 insertions(+), 1 deletion(-) create mode 100755 debian/patches/04_main.c_abort-on-encryption.dpatch mode change 100644 => 100755 debian/patches/05_big_files.dpatch diff --git a/debian/changelog b/debian/changelog index 6a4195d..4cd20b7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +bcrypt (1.1-8.1) unstable; urgency=low + + * Non-maintainer upload. + * Disable RC broken encryption support (Closes: #700758). Make this a +decrypt-only package for already created files. + + -- Agustin Martin Domingo Thu, 08 May 2014 11:46:38 +0200 + bcrypt (1.1-8) unstable; urgency=low * Additional RC bug closed with patch added version 1.1-7. Closes: #693460. diff --git a/debian/control b/debian/control index 62b2f6e..0365c77 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,9 @@ Standards-Version: 3.8.3 Package: bcrypt Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} -Description: Cross platform file encryption utility using blowfish +Description: Cross platform file encryption utility using blowfish (Decrypt only) + WARNING: decrypt-only Debian package. Encryption disabled. + See http://bugs.debian.org/700758. Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors. In addition to encrypting your data, bcrypt will by default overwrite the original input diff --git a/debian/patches/00list b/debian/patches/00list index 052aff1..3401a60 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1 +1,2 @@ +04_main.c_abort-on-encryption 05_big_files diff --git a/debian/patches/04_main.c_abort-on-encryption.dpatch b/debian/patches/04_main.c_abort-on-encryption.dpatch new file mode 100755 index 000..66ab07f --- /dev/null +++ b/debian/patches/04_main.c_abort-on-encryption.dpatch @@ -0,0 +1,39 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_main.c_abort-on-encryption.dpatch by Agustin Martin +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Disable encryption support. See http://bugs.debian.org/700758 +## DP: Bcrypt exposes patterns in data, it is broken] + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' bcrypt~/main.c bcrypt/main.c +--- bcrypt~/main.c 2014-04-08 18:38:59.0 +0200 bcrypt/main.c 2014-04-08 18:39:57.855694078 +0200 +@@ -51,6 +51,11 @@ + exit(1); + } + ++int abort_on_encryption() { ++ fprintf(stderr, "Encryption support disabled. See http://bugs.debian.org/700758\n";); ++ exit(1); ++} ++ + int parseArgs(int *argc, char **argv, BCoptions *options) { + signed char ch; + char *progname; +@@ -141,6 +146,7 @@ + if (memcmp(*infile+(strlen(*infile) - 4), ".bfe", 4) == 0) + return(1); + ++ abort_on_encryption(); + s
Bug#700758: bcrypt: Bcrypt exposes patterns in data, it is broken
On Mon, Apr 07, 2014 at 12:38:16PM +0200, Agustin Martin wrote: > On Mon, Feb 24, 2014 at 04:55:50PM +0100, Ulrik wrote: > > Hi, > > > > Fixing the flaw is not a good idea. A debian-developed new encrypted > > file format just to salvage this package? Not a good idea. > > > > Alternatives: > > > > 1) Remove it > > 2) Document the flaw directly in the package description, recommend > > a better solution (gpg) directly in the package description. > > > > Alternative (2) would allow users (if any) to decrypt/migrate their data. > > Hi, > > If something Debian-only is to be done with this package to keep it > available, it could be disabling encryption, together with a descriptive > error message. This would be a minimal intervention and have the advantages > of (1) and (2). > > This should be documented in the package description and would allow users > to decrypt already encrypted data (you never know where that may appear), > but not to encrypt. > > What maintainer thinks about this? > > Note that this package has been proposed for removal (See cc'ed > http://bugs.debian.org/740748), so if any action is intended to keep this > package in the archive it should happen soon. Although my C skills are not good I played a bit with this. I'd expected attached patch to handle the encryption disabling. Regards, -- Agustin >From 29d4b4e73f945cbd8a757659e665a70c1ff4b56f Mon Sep 17 00:00:00 2001 From: Agustin Martin Domingo Date: Tue, 8 Apr 2014 18:56:40 +0200 Subject: [PATCH] Disable encryption support. See http://bugs.debian.org/700758 --- debian/control | 2 ++ debian/patches/00list | 1 + .../patches/04_main.c_abort-on-encryption.dpatch | 38 ++ debian/patches/05_big_files.dpatch | 0 4 files changed, 41 insertions(+) create mode 100755 debian/patches/04_main.c_abort-on-encryption.dpatch mode change 100644 => 100755 debian/patches/05_big_files.dpatch diff --git a/debian/control b/debian/control index 62b2f6e..6a220bd 100644 --- a/debian/control +++ b/debian/control @@ -10,6 +10,8 @@ Package: bcrypt Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: Cross platform file encryption utility using blowfish + WARNING: decrypt-only Debian package. Encryption disabled. + See http://bugs.debian.org/700758. Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors. In addition to encrypting your data, bcrypt will by default overwrite the original input diff --git a/debian/patches/00list b/debian/patches/00list index 052aff1..3401a60 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1 +1,2 @@ +04_main.c_abort-on-encryption 05_big_files diff --git a/debian/patches/04_main.c_abort-on-encryption.dpatch b/debian/patches/04_main.c_abort-on-encryption.dpatch new file mode 100755 index 000..694f305 --- /dev/null +++ b/debian/patches/04_main.c_abort-on-encryption.dpatch @@ -0,0 +1,38 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_main.c_abort-on-encryption.dpatch by Agustin Martin +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Disable encryption support. See http://bugs.debian.org/700758 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' bcrypt~/main.c bcrypt/main.c +--- bcrypt~/main.c 2014-04-08 18:38:59.0 +0200 bcrypt/main.c 2014-04-08 18:39:57.855694078 +0200 +@@ -51,6 +51,11 @@ + exit(1); + } + ++int abort_on_encryption() { ++ fprintf(stderr, "Encryption support removed. See http://bugs.debian.org/700758\n";); ++ exit(1); ++} ++ + int parseArgs(int *argc, char **argv, BCoptions *options) { + signed char ch; + char *progname; +@@ -141,6 +146,7 @@ + if (memcmp(*infile+(strlen(*infile) - 4), ".bfe", 4) == 0) + return(1); + ++ abort_on_encryption(); + strcat(*outfile, ".bfe"); + options->type = ENCRYPT; + +@@ -148,6 +154,7 @@ + return(1); + + } else if ((!key) || (options->type == ENCRYPT)) { ++abort_on_encryption(); + strcat(*outfile, ".bfe"); + options->type = ENCRYPT; + } else diff --git a/debian/patches/05_big_files.dpatch b/debian/patches/05_big_files.dpatch old mode 100644 new mode 100755 -- 1.9.1
Bug#700758: bcrypt: Bcrypt exposes patterns in data, it is broken
On Mon, Feb 24, 2014 at 04:55:50PM +0100, Ulrik wrote: > Hi, > > Fixing the flaw is not a good idea. A debian-developed new encrypted > file format just to salvage this package? Not a good idea. > > Alternatives: > > 1) Remove it > 2) Document the flaw directly in the package description, recommend > a better solution (gpg) directly in the package description. > > Alternative (2) would allow users (if any) to decrypt/migrate their data. Hi, If something Debian-only is to be done with this package to keep it available, it could be disabling encryption, together with a descriptive error message. This would be a minimal intervention and have the advantages of (1) and (2). This should be documented in the package description and would allow users to decrypt already encrypted data (you never know where that may appear), but not to encrypt. What maintainer thinks about this? Note that this package has been proposed for removal (See cc'ed http://bugs.debian.org/740748), so if any action is intended to keep this package in the archive it should happen soon. Regards, -- Agustin -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#700758: bcrypt: Bcrypt exposes patterns in data, it is broken
Hi, Fixing the flaw is not a good idea. A debian-developed new encrypted file format just to salvage this package? Not a good idea. Alternatives: 1) Remove it 2) Document the flaw directly in the package description, recommend a better solution (gpg) directly in the package description. Alternative (2) would allow users (if any) to decrypt/migrate their data. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#700758: bcrypt: Bcrypt exposes patterns in data, it is broken
Package: bcrypt Followup-For: Bug #700758 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I see two options: 1) Fix it 2) Remove it 1) Is probably out of scope (ends probably in a fork, breaks compatibiity...) Maybe it should be removed from Debian? (I think we need to maintain a certain level of quality for the software we have in Debian) I'd like to hear the maintainer's opinion before any further action... (Lets say, lets wait a week or two) - -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJS0m1CAAoJEJFk+h0XvV02SG8P/2brtTl8dZBw3Cw+uwBI4aXT wCpnyu9Et2URzATrybdQ3WMZDjIsHNBa8ieShjcDLSMUKD3mfRt0HJMQ+dtlWnK5 oeioNlmud9/T89DFnqb3GMlqKsuPvKxbaviCeAKYpi+2QLIh/zh3uwbFt5VtaUd7 5tDFHmaB9AqBjiltZLns9aBpRpEsYp/lDWrcX2daAzS0HNjysNsjGw8rnwdi9ilZ LqpZmZbI9/MerST26hoIjtbswQ+NTLcDw8dt0MeyY+8WWfLS8hMDova5mFCjKLeg PR5ZcQjIkZRL4JlbKf4ljj4IMqqDsOPwgfcb2OtFT/zvO4K5b1PRotgfZKg27Bdw qdLk1F8bSYsAO0o0EEXNj0WRZNkIezBQ/N45DpzprpttRmBYT25vkNqaZ1MAFECY iQ7+j0EzHn/PjdzDNRPXn6jM3ol6DevtCT3cSJW+3UQStr0OIUfRthT4gCzwkT9m umw5z0p438J24KhLvi+F03qHK5ASh2Dutxod7iV2qF37xEKvDoEK/7XPmBCGVdyK mcl3MkdYGoSxgrTMnpTrlYz2f/oaDdaDNWwd3RkiReiVXavGz4dfGBo25yE92OEH lzj4V5qz4nR4n1tPJX6nUVynrPYSwWGODE8LJ4cgTIrlyB8j+W5A0F4ADyUlq5s9 D/bK4hHN9Vymmj/PjRA0 =k2Sb -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org