FYI... We sent this to oss-security, various security teams and our
maintatiners.

---------- Forwarded message ----------
From: Jeffrey Walton <noloa...@gmail.com>
Date: Mon, Sep 19, 2016 at 10:32 AM
Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and
down level remediation
To: <redacted>

Hi Everyone,

Crypto++ 5.6.5 will be released within a month or so to remediate the
information disclosure from CVE-2016-742. Distros will need to patch
Crypto++ 5.6.4 and below. The following provides more information and
procedures we recommend for down level Crypto++.

We re-engineered the "debugging and diagnostic" support area because
documenting the behaviors did *not* reduce the risk; rather it simply
moved the blame around. You can see the staged changes at
https://github.com/weidai11/cryptopp/issues/277#issuecomment-247829210.

We believe the best course of action for a distro is to render the
asserts inert in Crypto++ 5.6.4 and below because they are expected to
be removed by NDEBUG. However a simple sed and 's|<exp>||g' won't
work as expected.

If you have any problems or questions, then please email me or call
me. My cell number is <redacted>. My home number is
<redacted>. Distros get special treatment because they are so
important to the ecosystem.

My apologies for the inconvenience and trouble this has caused.

Jeff

**********

To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following.

1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip
this step).

    (a) Add CRYPTOPP_UNSED macro to config.h

     #define CRYPTOPP_UNSED(x) ((void)(x))

2. Change every assert() to CRYPTOPP_UNUSED()

    (a) replace en masse
    (b) find with sed or grep and 'assert[[:space:]]*('

3. Verify changes

    (a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
    (b) should only see compile-time assert

4. Test changes

    (a) 'make clean && make -j 4'
    (b) './cryptest.exe v'

5. Update the package

    (a) rebuild the library and package it
          - all asserts rendered inert
    (b) rebuild all dependent packages
          - asserts in Crypto++ headers could cross-pollinate

**********

Procedures performed on Crypto++ 5.6.2:

# Prepare
$ git clone https://github.com/weidai11/cryptopp cryptopp-assert
$ cd cryptopp-assert
$ git checkout CRYPTOPP_5_6_2

# Step 1 (Add)
$ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h

# Step 2 (Replace)
$ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp

# Step 3 (Verify)
$ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
#define CRYPTOPP_COMPILE_ASSERT(assertion)
CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__)
#define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance)

# Step 4 (Test)
$ make clean && make -j 4
$ ./cryptest.exe v   # Tail should report no failures

# Step 5 (Repackage)
...

-- 
-- 
You received this message because you are subscribed to the "Crypto++ Users" 
Google Group.
To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com.
More information about Crypto++ and this group is available at 
http://www.cryptopp.com.
--- 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to