gnupg upload for CVE-2017-7526
Hi gnupg maintainers, security team, attached debdiff addresses the above CVE for jessie. O.k. to upload to security-master? Cheers, -- Guido diff --git a/debian/changelog b/debian/changelog index 0d7216d0..944857c8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +gnupg (1.4.18-7+deb8u4) jessie-security; urgency=high + + * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch + + -- Guido Günther Wed, 30 Aug 2017 08:08:14 +0200 + gnupg (1.4.18-7+deb8u3) jessie; urgency=medium * Non-maintainer with maintainers approval. diff --git a/debian/patches/security/CVE-2017-7526-mpi-Minor-fix-for-mpi_pow.patch b/debian/patches/security/CVE-2017-7526-mpi-Minor-fix-for-mpi_pow.patch new file mode 100644 index ..251dc319 --- /dev/null +++ b/debian/patches/security/CVE-2017-7526-mpi-Minor-fix-for-mpi_pow.patch @@ -0,0 +1,34 @@ +From: NIIBE Yutaka +Date: Fri, 7 Jul 2017 15:12:00 +0900 +Subject: CVE-2017-7526: mpi: Minor fix for mpi_pow. + +* mpi/mpi-pow.c (mpi_powm): Fix allocation size. + +Signed-off-by: NIIBE Yutaka +(cherry picked from commit 554ded4854758bf6ca268432fa087f946932a409) +--- + mpi/mpi-pow.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index acddca9..0078b84 100644 +--- a/mpi/mpi-pow.c b/mpi/mpi-pow.c +@@ -162,7 +162,7 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod) + + { + mpi_size_t i; +- mpi_ptr_t xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); ++ mpi_ptr_t xp = xp_marker = mpi_alloc_limb_space( size, msec ); + int c; + mpi_limb_t e; + mpi_limb_t carry_limb; +@@ -499,7 +499,7 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + struct karatsuba_ctx karactx; + mpi_ptr_t tp; + +-xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); ++xp = xp_marker = mpi_alloc_limb_space( size, msec ); + + memset( &karactx, 0, sizeof karactx ); + negative_result = (ep[0] & 1) && bsign; diff --git a/debian/patches/security/CVE-2017-7526-mpi-Same-computation-for-square-and-multipl.patch b/debian/patches/security/CVE-2017-7526-mpi-Same-computation-for-square-and-multipl.patch new file mode 100644 index ..88639b1d --- /dev/null +++ b/debian/patches/security/CVE-2017-7526-mpi-Same-computation-for-square-and-multipl.patch @@ -0,0 +1,165 @@ +From: NIIBE Yutaka +Date: Fri, 7 Jul 2017 14:38:19 +0900 +Subject: CVE-2017-7526: mpi: Same computation for square and multiply for + mpi_pow. + +* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move +the assignment to base_u into the loop. Copy content refered by RP to +BASE_U except the last of the loop. + +-- + +Signed-off-by: NIIBE Yutaka + +(backport commit of libgcrypt master: +78130828e9a140a9de4dafadbc844dbb64cb709a) + +(cherry picked from commit 12029f83fd0ab3e8ad524f6c9135854662fddfd1) +--- + mpi/mpi-pow.c | 72 +++ + 1 file changed, 38 insertions(+), 34 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index 76ddf95..acddca9 100644 +--- a/mpi/mpi-pow.c b/mpi/mpi-pow.c +@@ -387,6 +387,9 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + size = 2 * msize; + msign = mod->sign; + ++ ep = expo->d; ++ MPN_NORMALIZE(ep, esize); ++ + if (esize * BITS_PER_MPI_LIMB > 512) + W = 5; + else if (esize * BITS_PER_MPI_LIMB > 256) +@@ -403,10 +406,9 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + bsec = mpi_is_secure(base); + + rp = res->d; +- ep = expo->d; + + if (!msize) +- msize = 1 / msize; /* provoke a signal */ ++msize = 1 / msize; /* provoke a signal */ + + if (!esize) + { +@@ -463,7 +465,8 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + } + + +- /* Make BASE, EXPO and MOD not overlap with RES. */ ++ /* Make BASE, EXPO not overlap with RES. We don't need to check MOD ++ because that has already been copied to the MP var. */ + if ( rp == bp ) + { + /* RES and BASE are identical. Allocate temp. space for BASE. */ +@@ -477,13 +480,6 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + ep = ep_marker = mpi_alloc_limb_space( esize, esec ); + MPN_COPY(ep, rp, esize); + } +- if ( rp == mp ) +-{ +- /* RES and MOD are identical. Allocate temporary space for MOD.*/ +- assert (!mp_marker); +- mp = mp_marker = mpi_alloc_limb_space( msize, msec ); +- MPN_COPY(mp, rp, msize); +-} + + /* Copy base to the result. */ + if (res->alloced < size) +@@ -529,7 +525,10 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + MPN_COPY (precomp[i], rp, rsize); + } + ++if (msize > max_u_size) ++ max_u_size = msize; + base_u = mpi_alloc_limb_space (max_u_size, esec); ++MPN_ZERO (base_u, max_u_size); + + i = esize - 1; + +@@ -574,6 +573,10 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + { + int c
Re: [tracker] New sub-states for issues tagged no-dsa
Hi, On Fri, Aug 11, 2017 at 09:01:37PM +0200, Sébastien Delafond wrote: > After some discussion about what no-dsa really means, I've added 2 new > sub-states to the tracker, and they can be used as follows: > > CVE-2018-10012345 >- foo (bug #9876543) >[stretch] - shadow (Minor issue, later) >[jessie] - shadow (Minor issue, later) >[wheezy] - shadow (Minor issue, later) > CVE-2018-10012346 >- foo (bug #9876542) >[stretch] - shadow (maintainer choice) >[jessie] - shadow (maintainer choice) >[wheezy] - shadow (maintainer choice) > > The actual state will still be "no-dsa" in both cases, but hopefully the > sub-state clears things up as to *why* we chose no-dsa. This is awesome and will make it much clearer why s.th. is actually no-dsa. We can now also go through postponed issues and check whether they actually got fixed in a point release. Cheers, -- Guido > > The per-issue web views does expose those sub-states, see for instance > libemail-address-perl[1] and cacti[2], and the status pages[3][4][5] > allow to filter on them (someone with actual web skills should probably > make it so that checking "include issues tagged " > automatically checks "include issues tagged "). > > Cheers, > > --Seb > > [1] > https://security-tracker.debian.org/tracker/source-package/libemail-address-perl > [2] https://security-tracker.debian.org/tracker/source-package/cacti > [3] https://security-tracker.debian.org/tracker/status/release/stable > [4] https://security-tracker.debian.org/tracker/status/release/oldstable > [5] https://security-tracker.debian.org/tracker/status/release/oldoldstable >
Re: Call for testing: upcoming libxml2 security update
Hi, On Sat, May 28, 2016 at 11:35:18AM +0200, Salvatore Bonaccorso wrote: > Hi > > The upcoming libxml2 security update is little more bigger than usual, > thus we want to expose the package a bit for additional testing. If > you find a problem introduced by updating to these packages, please > report the problem directly to t...@security.debian.org . > > The packages can be found at: > > https://people.debian.org/~carnil/tmp/libxml2/jessie/ > > (amd64 builds only) > > While preparing the jessie-security update, The commits were > backported as well for libxml2 in wheezy. If you are using them please > test the packages at > > https://people.debian.org/~carnil/tmp/libxml2/wheezy/ After smoke testing via xml-lint and virt-xml-validate I tested this on a a wheezy machine relying on libxml2 for: # whatmaps libxml2 Services that possibly need to be restarted: clamav-freshclam bind9 libvirtd clamav-daemon with no ill effects so far. I also had a quick look at the patches (at least making sure every CVE has a corresponding patch) Cheers and thanks a lot for working on this! -- Guido
DSA for lxc CVE-2015-1335 [was Re: working for wheezy-security until wheezy-lts starts]
Hi, On Tue, Mar 01, 2016 at 08:01:20PM +0100, Moritz Muehlenhoff wrote: > On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote: > > On 2016-03-01, Mike Gabriel wrote: > > > @Security Team: Shall we (LTS contributors) handle wheezy-security > > > updates like described below until Debian wheezy LTS comes into play? > > > > > >o Pick a package that has open CVE issues in wheezy, e.g. from > > > above list > > >o Add the package to data/dsa-needed.txt, if not already there: > > Don't add anything to dsa-needed.txt directly, but rather ask team@ first > whether this actually qualifies for a DSA. Packages get only added there > after individual assessment. O.k. to grab lxc fixing CVE-2015-1335 to dsa-needed ? Cheers, -- Guido
Re: working for wheezy-security until wheezy-lts starts
On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote: [..snip..] > >>Issues that are unfixed in wheezy but fixed in squeeze: > >>* aptdaemon-> CVE-2015-1323 > >>* cakephp -> TEMP-000-698CF7 > >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 > >>* eglibc -> CVE-2014-9761 > >>* extplorer-> CVE-2015-0896 > >>* fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E > >>* gosa -> CVE-2014-9760 CVE-2015-8771 > >>* gtk+2.0 -> CVE-2013-7447 > >>* icu -> CVE-2015-2632 > >>* imagemagick -> TEMP-0773834-5EB6CF > >>* imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 > >>* inspircd -> CVE-2015-8702 > >>* libebml -> CVE-2015-8790 CVE-2015-8791 > >>* libidn -> CVE-2015-2059 TEMP-000-54045E > >>* libmatroska -> CVE-2015-8792 > >>* libsndfile -> CVE-2014-9756 CVE-2015-7805 > >>* libstruts1.2-java-> CVE-2015-0899 > >>* libtorrent-rasterbar -> CVE-2015-5685 > >>* mono -> CVE-2009-0689 > >>* nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 > >>* optipng -> CVE-2015-7801 > >>* phpmyadmin -> CVE-2016-2039 CVE-2016-2041 > >>* pixman -> CVE-2014-9766 > >>* python-tornado -> CVE-2014-9720 > >>* roundcube-> CVE-2015-8770 > >>* srtp -> CVE-2015-6360 > >>* tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 > >>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 > >>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 > >>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 > > > >I'm focusing on these picking older ones over newer ones to not stomp > >onto the security teams toes. > > Do you announce anywhere, that you will start working on a specific package? > Wouldn't it make sense to put all the packages listed below into > data/dsa-needed.txt (with approval from the Security Team) and then put our > names behind those package names? In order to avoid double work I added these to dsa-needed.txt and put my name on the line. Cheers, -- Guido
Re: working for wheezy-security until wheezy-lts starts
Hi, On Mon, Feb 29, 2016 at 03:25:46PM +, Mike Gabriel wrote: > For this, we can run bin/lts-needs-forward-port.py from the secure-testing > repo and see what issues we fixed in squeeze and port those fixes to the > package version in wheezy-security. Package updates must be coordinated with > the Debian Security Team, not within the LTS team, though: > > * prepare a fixed package > * test the package > * send a .debdiff to t...@security.debian.org > * wait for feedback and ideally permission to upload to wheezy-security That's what I'm doing at the moment (sending the debdiff to the bug report in case there is one as well) for issues that are unfixed (not no-dsa, see below). [..snip..] > Issues that are unfixed in wheezy but fixed in squeeze: > * aptdaemon-> CVE-2015-1323 > * cakephp -> TEMP-000-698CF7 > * dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 > * eglibc -> CVE-2014-9761 > * extplorer-> CVE-2015-0896 > * fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E > * gosa -> CVE-2014-9760 CVE-2015-8771 > * gtk+2.0 -> CVE-2013-7447 > * icu -> CVE-2015-2632 > * imagemagick -> TEMP-0773834-5EB6CF > * imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 > * inspircd -> CVE-2015-8702 > * libebml -> CVE-2015-8790 CVE-2015-8791 > * libidn -> CVE-2015-2059 TEMP-000-54045E > * libmatroska -> CVE-2015-8792 > * libsndfile -> CVE-2014-9756 CVE-2015-7805 > * libstruts1.2-java-> CVE-2015-0899 > * libtorrent-rasterbar -> CVE-2015-5685 > * mono -> CVE-2009-0689 > * nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 > * optipng -> CVE-2015-7801 > * phpmyadmin -> CVE-2016-2039 CVE-2016-2041 > * pixman -> CVE-2014-9766 > * python-tornado -> CVE-2014-9720 > * roundcube-> CVE-2015-8770 > * srtp -> CVE-2015-6360 > * tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 > CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 > CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 > CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 I'm focusing on these picking older ones over newer ones to not stomp onto the security teams toes. > > Issues that are no-dsa in wheezy but fixed in squeeze: > * augeas -> CVE-2012-0786 CVE-2012-0787 > * binutils -> TEMP-000-A2945B > * busybox -> TEMP-0803097-A74121 > * chrony -> CVE-2016-1567 > * dbconfig-common -> TEMP-0805638-5AC56F > * dwarfutils -> CVE-2015-8750 > * foomatic-filters -> TEMP-000-ACBC4C > * imagemagick -> CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 > CVE-2014-8716 TEMP-0806441-76CD60 TEMP-0806441-CB092C > * libemail-address-perl -> TEMP-000-F41FA7 > * libfcgi-perl -> CVE-2012-6687 > * librsvg -> CVE-2015-7557 > * libsndfile -> CVE-2014-9496 > * libunwind-> CVE-2015-3239 > * openslp-dfsg -> CVE-2012-4428 > * openssh -> CVE-2015-5352 CVE-2015-5600 > * php5 -> CVE-2011-0420 CVE-2011-1657 > * postgresql-8.4 -> CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 > CVE-2015-5288 > * python-scipy -> CVE-2013-4251 > * python2.6-> CVE-2011-4940 CVE-2013-4238 CVE-2014-1912 > * qt4-x11 -> CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 > CVE-2015-1860 > * remind -> CVE-2015-5957 > * ruby1.8 -> CVE-2009-5147 > * ruby1.9.1-> CVE-2009-5147 > * t1utils -> CVE-2015-3905 > * texlive-extra-> CVE-2012-2120 > * tomcat6 -> CVE-2013-4590 > * vorbis-tools -> CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 > CVE-2015-6749 > """ I think these would be adressed via stable point release updates in wheezy/jessie rather than going via the security team. Cheers, -- Guido
Re: goals for hardening Debian: ideas and help wanted
On Tue, Apr 29, 2014 at 11:35:26AM +0800, Paul Wise wrote: > On Tue, Apr 29, 2014 at 8:07 AM, Marko Randjelovic wrote: > > > - security patches should be clearly marked as such in every *.patch > > file > > That sounds like a good idea, could you add it to the wiki page? It's not always easy to say wether a patch is security relevant but for the obvious ones (e.g. those with a CVE assigned) I put them into debian/patches/security and noticed other packages doing the same. This makes it simple to distinguish them in i.e. gitweb without having to look into every patch for the DEP-3 header. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140429065533.ga3...@bogon.m.sigxcpu.org