[SECURITY] [DLA 1332-1] libvncserver security update

2018-03-30 Thread Abhijith PA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


Package: libvncserver
Version: 0.9.9+dfsg-1+deb7u3
CVE ID : CVE-2018-7225
Debian Bug : 894045

libvncserver version through 0.9.11. does not sanitize msg.cct.length
which may result in access to uninitialized and potentially sensitive
data or possibly unspecified other impact (e.g., an integer overflow)
via specially crafted VNC packets.

For Debian 7 "Wheezy", these problems have been fixed in version
0.9.9+dfsg-1+deb7u3.

We recommend that you upgrade your libvncserver packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlq+j5AACgkQhj1N8u2c
KO8XMhAAkgo6ztI/qKFK0cti1YZYzT/S3si8MKyJ6+P0+YNoLPgYL/9JIVAYpU32
gx+iGDLX07L2HcioPLQ3YmOgYjpJBgiPWXxeeOunyra+csHsfZDXr+UqQ3Rdh0tm
1iXV0nti7VIxJV7VnNx3pGYGgbTl2EGUIyX80+WBgI/tml9S885CiO9e5nQnbMLt
Wp56PXGUK+PY52i2ifODD/RSMlv+WaRlrRdLQazpeHJ7ZrqaXluHMTp6PVNHaRq+
opcE/h5nx5xYmI+AYVoqqD9s6xKK2hQMe5MOBk0Zamf4Nh3n3uwtGwT+KUevAKNP
meFTimE0RfceqNgcWKcRo9nq5y+Xc8+Zb/LVRxmN3pjCAeQSnBiTcztNpkoVniQL
C0N5dUkMW+mPcAupxTHVk78YcBTOGvCrIkh2h/QTsv2syz9g9+JftVfP+pqq/f2z
F5JIirtUy/LSBKe5tWMEr5oSLxZ36xVZtOcfaF4kdlHJ+/ucCz2rG8C8XIwwyuuv
k8Mi2AlViRctM5WcVC6Y+96hCKhbNaVa2QRooKgrwT7fG2Qv2Hb4YwKBTeVojZFB
5LoVSLJ+Jkx8AQ2gaE7NSEqnV4P6h1j0HTtwGTieWIJv8hsHTG/Bz8jqB6SupDXP
EungSLVKKchqN48h0IyqfSY4mg6DzhMfTey4BRK2fuqB4VSOejQ=
=3e2Y
-END PGP SIGNATURE-

Re: upload libvncserver

2018-03-30 Thread Abhijith PA 


On Friday 30 March 2018 11:28 PM, Ola Lundqvist wrote:
> Hi
> 
> I have re-built the package and uploaded now. Will you send the DLA or
> do you want me to do that too?
> 
> // Ola
> 

Thanks.
I will send the DLA.

--abhijith

Accepted libvncserver 0.9.9+dfsg-1+deb7u3 (source amd64) into oldoldstable

2018-03-30 Thread Abhijith PA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 29 Mar 2018 22:55:20 +0530
Source: libvncserver
Binary: libvncserver0 libvncserver-dev libvncserver-config libvncserver0-dbg 
linuxvnc
Architecture: source amd64
Version: 0.9.9+dfsg-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Luca Falavigna 
Changed-By: Abhijith PA 
Description: 
 libvncserver-config - API to write one's own vnc server - library utility
 libvncserver-dev - API to write one's own vnc server - development files
 libvncserver0 - API to write one's own vnc server
 libvncserver0-dbg - debugging symbols for libvncserver
 linuxvnc   - VNC server to allow remote access to a tty
Closes: 894045
Changes: 
 libvncserver (0.9.9+dfsg-1+deb7u3) wheezy-security; urgency=high
 .
   * Non-maintainer upload for the Debian LTS Team.
   * CVE-2018-7225: rfbserver.c does not sanitize msg.cct.length, leading to
 access to uninitialized and potentially sensitive data or possibly
 unspecified other impact (e.g., an integer overflow) via specially crafted
 VNC packets (Closes: #894045)
Checksums-Sha1: 
 788e3eb2d3f7da9e777ad43b9f290605027ddb53 2228 
libvncserver_0.9.9+dfsg-1+deb7u3.dsc
 3984f3f758684e984ee51e57aa5917b0fa58e4eb 18886 
libvncserver_0.9.9+dfsg-1+deb7u3.debian.tar.gz
 6ed6670944c3b8b5c0ed65f162a3f56aa67ffe57 280206 
libvncserver0_0.9.9+dfsg-1+deb7u3_amd64.deb
 a5bedcdbb2a2085edda1bdaea760dcfd68f0d858 334528 
libvncserver-dev_0.9.9+dfsg-1+deb7u3_amd64.deb
 651d9fdb12c91dd4bd9133e6f3fcff420809eba8 75030 
libvncserver-config_0.9.9+dfsg-1+deb7u3_amd64.deb
 0c098719c69c5541405bfd9d82d51ad2d1e33c0b 595656 
libvncserver0-dbg_0.9.9+dfsg-1+deb7u3_amd64.deb
 843b4c1f8026beab569c1e66088b8a2fa1481e9a 87076 
linuxvnc_0.9.9+dfsg-1+deb7u3_amd64.deb
Checksums-Sha256: 
 c89eb9bb73aa68a0b893c267fd554b53e45f1e2176ad5e70a4eaabb2e0a24a4b 2228 
libvncserver_0.9.9+dfsg-1+deb7u3.dsc
 7770369054c5a89ca3a265a06b56b632edababa7dc236c7ab52aa43981e65c9f 18886 
libvncserver_0.9.9+dfsg-1+deb7u3.debian.tar.gz
 24fea418e27ff98a1ef091f238c98cae2626929f994e82d5506f105a17fe43bb 280206 
libvncserver0_0.9.9+dfsg-1+deb7u3_amd64.deb
 3271239000e4b44ec20daff28a35b0d826f2ed321bdbcfd5990c6f98a852cde3 334528 
libvncserver-dev_0.9.9+dfsg-1+deb7u3_amd64.deb
 c06ae9289a16ca0e1d8ed74fc1c8db3cd73fd10b047ade6bbf757f6f3454a48d 75030 
libvncserver-config_0.9.9+dfsg-1+deb7u3_amd64.deb
 f672080d165761589cad2f0a97ff235cecf7faefe4958413246c87ee30223d8e 595656 
libvncserver0-dbg_0.9.9+dfsg-1+deb7u3_amd64.deb
 33f02ed853d622c095b2105fd8b2b260e627370a2b8ba4303492d8e70a8dbd3f 87076 
linuxvnc_0.9.9+dfsg-1+deb7u3_amd64.deb
Files: 
 551843d869476b33f2b11c2f331fdb56 2228 libs optional 
libvncserver_0.9.9+dfsg-1+deb7u3.dsc
 d430e1871b6be1364a4e080372969cdd 18886 libs optional 
libvncserver_0.9.9+dfsg-1+deb7u3.debian.tar.gz
 435aef032b33b5bb847f0070d9ff030d 280206 libs optional 
libvncserver0_0.9.9+dfsg-1+deb7u3_amd64.deb
 8aecd66b8baca9f9dfcf4bc2ccdb7616 334528 libdevel optional 
libvncserver-dev_0.9.9+dfsg-1+deb7u3_amd64.deb
 80b2c14dc420eef4d56502cf6b12bc3d 75030 libdevel optional 
libvncserver-config_0.9.9+dfsg-1+deb7u3_amd64.deb
 8a7e557d00d95e6a8d80b6a8545b9aad 595656 debug extra 
libvncserver0-dbg_0.9.9+dfsg-1+deb7u3_amd64.deb
 ac80fa65857040f91f7aae63b820879b 87076 net optional 
linuxvnc_0.9.9+dfsg-1+deb7u3_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEIvIyxrHg9L8rJgpqXpDc+pQmh28FAlq+eOEACgkQXpDc+pQm
h28vCRAAoNnYuZ0coAH11zJxmtCHlyw/g5f2w9G2zCmF5TqVNeMBqk14YONPgC7p
N1DPy6JpfNGSXmZ84e7HaeVoYeu0ZQapbgUwGoIOPM+i8AyE6FsEcJQ9Tzr3yFWN
E5A4fL0qdRmpB1nkWtKsIVbA0sQLxXr8CCqRv3E71WBz8rVH1Et0TP9atgPwvkwE
sX4qWunC5EtdiRy6Vl2iMyGChPoDHSgypH2LIQX3NWpxwmu5qJ5zqM95FUSAqC0z
r/kzk+ZPjCzpCRmGVyus04vxCMh+Tz4Hi6yxQ8rNOwgt47YU3Js/KAXk7rees4Yh
PsouzhQV8Lp9EHT9x9wApq5L83ZE1UcfQNNFWysF06YXetcXUGbpSkV9seNuw+eB
F/vTTMLqwF+Yk23Z0A6XXKvqsJ87Klx7ja1vKqP+r341uLf/RGVEv7qoH3JUf/rB
NMTmGUZf2LrwzAwc/b/LbYgM2rwEWgzH+RR7GZB7cVZm0SyQe4FDusGer8rnIbdK
ntWSK3Rt13fcy1oiFTIMt0TkFOFp5W3rTsjzTU+a5XgVYSntE14NmJblzwjzDcTx
Sn4kp1tZe0qTGaj0NAk0g3RQM2sd5ktjGed4PJGqfotrWYUbO+sF6Tg1POQUF+uy
nrOUFzOTTbt8EJzKHxvz0MlPASuxuvb+OtYMQrv9jO+yTGzP1FY=
=pKmy
-END PGP SIGNATURE-

Re: [SECURITY] [DLA 1283-1] python-crypto security update

2018-03-30 Thread Ola Lundqvist 
Hi

We can simply send a DLA-1283-2 telling that it was not fixed.

// Ola

On 29 March 2018 at 21:34, Antoine Beaupré  wrote:

> On 2018-03-27 07:38:43, Brian May wrote:
> > Antoine Beaupré  writes:
> >
> >> I'm not sure. The security team marked that as "no-dsa (minor issue)"
> >> for jessie and stretch, and fixed in pycryptodome 3.4.11-1... Couldn't
> >> we reuse the fixes from cryptodome to get this working properly? Or is
> >> this what you say breaks API compatibility?
> >
> > I don't think I ever said anything about breaking API compatability.
> >
> > Rather the patch that was applied upstream was considered insufficient
> > (by the security researcher) to fix the problem.
> >
> > This is same patch I used for the LTS problem.
> >
> > Upstream was told about the problem:
> > https://github.com/Legrandin/pycryptodome/issues/90#
> issuecomment-362783537
> >
> > "This indicates that, with your latest modification, ElGamal encryption
> > is now secure under the DDH assumption. However, this is not true. As I
> > mentioned in my previous comment, you must encode plaintexts as
> > quadratic residues, too (which is, I guess, what breaks compatibility)."
> >
> > ... but they didn't seem to care:
> > https://github.com/Legrandin/pycryptodome/issues/90#
> issuecomment-362907413
> >
> > "Since the library itself does not support encryption officially, we
> > cannot make claim an implementation using the keys generated by the
> > library is secure or not."
> >
> > So it does look like fixing this properly might break API compatability,
> > but there are no known fixes we can apply.
>
> Hmm... so I guess the core question here is whether we expect our users
> to actually use cryptodome/pycrypto to do ElGamal-based encryption...
>
> I have the same problem trying to tackle the libgcrypt11 pending
> security issue:
>
> https://security-tracker.debian.org/tracker/CVE-2018-6829
>
> My understanding of this issue is that it only affects consumers of the
> library that use ElGamal for encryption, a similar problem than what is
> described here.
>
> I was tempted to mark this as no-dsa, given how little elgamal is
> actually used in the wild. It was also my understanding that GnuPG
> wasn't vulnerable to this specific issue, but I haven't verified this
> deeply and it's been a while since I checked, so I am not exactly sure
> of that specific claim.
>
> CVE-2018-6594 is marked as no-dsa in Jessie/Stretch, for what that's
> worth...
>
> But the problem now is that we issued DLA-1283-1 to claim this was
> fixed, so at least an update on that should be provided to our users so
> we're clear this is *not* fixed. I'm not sure how to do that.
>
> Anyone else has suggestions here?
>
> A.
> --
> Debugging is twice as hard as writing the code in the first place.
> Therefore, if you write the code as cleverly as possible, you are, by
> definition, not smart enough to debug it.
> - Brian W. Kernighan
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

[SECURITY] [DLA 1331-1] mercurial security update

2018-03-30 Thread Antoine Beaupré 
Package: mercurial
Version: 2.2.2-4+deb7u7
CVE ID : CVE-2018-1000132
Debian Bug : 892964

Mercurial version 4.5 and earlier contains a Incorrect Access Control
(CWE-285) vulnerability in Protocol server that can result in
Unauthorized data access. This attack appear to be exploitable via
network connectivity. This vulnerability appears to have been fixed in
4.5.1.

This update also fixes a regression inroduced in 2.2.2-4+deb7u5 which
makes the testsuite fail non-deterministically.

For Debian 7 "Wheezy", these problems have been fixed in version
2.2.2-4+deb7u7.

We recommend that you upgrade your mercurial packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 1330-1] openssl security update

2018-03-30 Thread Antoine Beaupré 
Package: openssl
Version: 1.0.1t-1+deb7u4
CVE ID : CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive
definition could exceed the stack, potentially leading to a denial of
service.

Details can be found in the upstream advisory: 
https://www.openssl.org/news/secadv/20180327.txt

For Debian 7 "Wheezy", these problems have been fixed in version
1.0.1t-1+deb7u4.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 


signature.asc
Description: PGP signature

Re: Bug#892590: Review graphite2

2018-03-30 Thread Moritz Mühlenhoff 
On Fri, Mar 30, 2018 at 10:15:41AM +0530, Abhijith PA wrote:
> Drop rene@, jmm@, 892...@bugs.debian.org.
> 
> 
> On Tuesday 20 March 2018 01:47 AM, Moritz Mühlenhoff wrote:
> > On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
> >> I am not going over the .-release procedure for this, I'd have uploaded
> >> to security, though, but...
> >>
> >> I don't think we should special-case our oldest,
> >> soon-to-be-not-supported release.
> > 
> > Agreed, it doesn't make sense to fix this bug on it's own. We can
^

> Anyway we have to upload this to wheezy-security.

See above.

Cheers,
Moritz