Bug#684890: Uploaded beaker to DELAYED/2

[David Prévot]

Dear maintainer of beaker,

I've prepared an NMU for beaker (versioned as 1.6.3-1.1) uploaded it to
DELAYED/2. Please feel free to tell me if I should delay it longer.

I've also prepared a package for squeeze-security [0] and will follow up
via RT.

        0: http://people.debian.org/~taffit/beaker/

Regards

David



diffstat for beaker-1.6.3 beaker-1.6.3

 changelog                       |    9 +++++++++
 patches/fix_CVE-2012-3458.patch |   36 ++++++++++++++++++++++++++++++++++++
 patches/series                  |    1 +
 3 files changed, 46 insertions(+)

diff -Nru beaker-1.6.3/debian/changelog beaker-1.6.3/debian/changelog
--- beaker-1.6.3/debian/changelog	2012-05-06 16:46:36.000000000 -0400
+++ beaker-1.6.3/debian/changelog	2012-08-24 13:54:40.000000000 -0400
@@ -1,3 +1,12 @@
+beaker (1.6.3-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix security issue, with PyCrypto not securing data such that an attacker
+    could possibly determine parts of the encrypted payload. Patch by Miloslav
+    Trmac of Redhat. [CVE-2012-3458] Closes: #684890
+
+ -- David Prévot <taf...@debian.org>  Fri, 24 Aug 2012 13:54:13 -0400
+
 beaker (1.6.3-1) unstable; urgency=low
 
   [ Andrey Rahmatullin ]
diff -Nru beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch
--- beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch	1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch	2012-08-24 14:04:48.000000000 -0400
@@ -0,0 +1,36 @@
+From: Ben Bangert <b...@groovie.org>
+Subject : Fix security issue CVE-2012-3458
+
+  Fix security issue, with PyCrypto not securing data such that an attacker
+  could possibly determine parts of the encrypted payload. Patch by Miloslav
+  Trmac of Redhat. [CVE-2012-3458]
+
+Origin: upstream, https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5
+Bug-Debian: http://bugs.debian.org/684890
+
+--- beaker-1.6.3.orig/beaker/crypto/pycrypto.py
++++ beaker-1.6.3/beaker/crypto/pycrypto.py
+@@ -15,17 +15,18 @@ try:
+ 
+ except ImportError:
+     from Crypto.Cipher import AES
++    from Crypto.Util import Counter
+ 
+     def aesEncrypt(data, key):
+-        cipher = AES.new(key)
++        cipher = AES.new(key, AES.MODE_CTR,
++                         counter=Counter.new(128, initial_value=0))
+ 
+-        data = data + (" " * (16 - (len(data) % 16)))
+         return cipher.encrypt(data)
+ 
+     def aesDecrypt(data, key):
+-        cipher = AES.new(key)
+-
+-        return cipher.decrypt(data).rstrip()
++        cipher = AES.new(key, AES.MODE_CTR,
++                         counter=Counter.new(128, initial_value=0))
++        return cipher.decrypt(data)
+ 
+ def getKeyLength():
+     return 32
diff -Nru beaker-1.6.3/debian/patches/series beaker-1.6.3/debian/patches/series
--- beaker-1.6.3/debian/patches/series	1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/series	2012-08-24 13:59:45.000000000 -0400
@@ -0,0 +1 @@
+fix_CVE-2012-3458.patch

signature.asc
Description: OpenPGP digital signature