Your message dated Fri, 27 Nov 2020 18:34:02 +0000
with message-id <[email protected]>
and subject line Bug#975084: fixed in tomb 2.8+dfsg1-1
has caused the Debian Bug report #975084,
regarding tomb: Upstream fix for CVE-2020-28638 only hides the issue
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
975084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tomb
Version: 2.7+dfsg2-2
Severity: important
Tags: security,upstream
Forwarded: https://github.com/dyne/Tomb/issues/392
X-Debbugs-Cc: [email protected], Debian Security Team <
[email protected]>
The flaw described in bug #974719 [1] still shows up when using Tomb in
debug mode (-D added to all calls).
Other than stated in bug #974719 [1] tomb 2.5+dfsg1-2 is not affected.
This is the issue I opened upstream:
------ Start of copied message ------
[...]
the fix https://github.com/dyne/Tomb/pull/386 for
https://github.com/dyne/Tomb/issues/385 only hides the issue.
When doing all the calls to tomb with the -D parameter added the
problem is
back
tomb dig -D -s20 test.tomb
DISPLAY=':0' tomb forge -D -f -k test.key
DISPLAY=':0' tomb lock -D -k test.key test.tomb
DISPLAY=':0' tomb open -D -f -k test.key test.tomb
Only the injected password is now a different one. On my test system it
is:
tomb [D] asking password with tty=/dev/pts/0 lc-ctype=en_US.UTF-8
Actually ask_password returns several lines of debug output followed by
the read in password:
tomb [D] asking password with tty=/dev/pts/0 lc-ctype=en_US.UTF-8
tomb [D] using pinentry-curses
tomb [D] Detected DISPLAY, but only pinentry-curses is found.
1234
The root cause for the issue is a change to _msg introduced with commit
477ab204439ddb88d7293d3c35a29e29751feda9, "Overhaul message printing".
Before this commit _msg wrote all its output to stderr. Since the
change only failure notifications go to stderr, everything else goes to stdout.
As ask_password returns the read password per stdout, messages printed
to stdout from within ask_password beforehand plus the read password are
received by the calling code on consecutive lines. The first of these lines is
picked as password then.
Not sure how this can be fixed reliably. Maybe ask_password should
return the password in a global variable instead of passing it per stdout.
Regarding CVE-2020-28638:
-----------------------------------------
The commit happened on Nov 24, 2018. This means the flaw affects only
Tomb 2.6 and 2.7. CVE-2020-28638's description should be corrected in this
regard.
[...]
------ End of copied message ------
Sven
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974719
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages tomb depends on:
ii cryptsetup-bin 2:2.3.4-1
ii e2fsprogs 1.45.6-1
ii file 1:5.38-5
ii gettext-base 0.19.8.1-10
ii gnupg 2.2.20-1
ii libc6 2.31-4
ii libgcrypt20 1.8.7-2
ii pinentry-gnome3 [pinentry] 1.1.0-4
ii sudo 1.9.3p1-1
ii zsh 5.8-5
Versions of packages tomb recommends:
ii lsof 4.93.2+dfsg-1
Versions of packages tomb suggests:
pn dcfldd <none>
pn qrencode <none>
pn steghide <none>
pn swish-e <none>
ii unoconv 0.7-2
-- no debconf information
--
GPG Fingerprint
3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
--- End Message ---
--- Begin Message ---
Source: tomb
Source-Version: 2.8+dfsg1-1
Done: Sven Geuer <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tomb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sven Geuer <[email protected]> (supplier of updated tomb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Nov 2020 19:15:59 +0100
Source: tomb
Architecture: source
Version: 2.8+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Sven Geuer <[email protected]>
Closes: 975084
Changes:
tomb (2.8+dfsg1-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CVE-2020-28638: A static string is injected as enryption key when
pinentry-curses is used and $DISPLAY is non-empty.
(Closes: #975084)
- Adapt d/patches/* to new release.
- Remove patch not required any more.
- CVE-2020-28638.patch
- Remove patches adopted by upstream.
- fix-default-cipher.patch
- fix-errors-on-open.patch
- Add new patch to fix mistyped function call.
- fix-typo-calling-pinentry_assuan_getpass.patch
* Update d/copyright.
* Update d/control.
- Remove needless field Pre-Depends.
- Bump Standards-Version to 4.5.1.
Checksums-Sha1:
8dbea979f73ed30a0b3066299fd32ecaa029206e 2037 tomb_2.8+dfsg1-1.dsc
a6126609ffca9fab5953118efa336874d7450e87 1204976 tomb_2.8+dfsg1.orig.tar.xz
26015c0654cd80f8c6004775c1623c83b2251825 6912 tomb_2.8+dfsg1-1.debian.tar.xz
e3f67053101a553d03218a7b010b0865a2899814 6089 tomb_2.8+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
acb3f64c0eb72be68b4876bc0eb7b2178673fecdc11cc204107a30d4319d3efc 2037
tomb_2.8+dfsg1-1.dsc
566403a031a68312d33949c9f19b7d1d6690dcfbc5aa0d132fb41aafa9ab4954 1204976
tomb_2.8+dfsg1.orig.tar.xz
9c4232e5e3865ff028b9d3297ae25eb4624e5029762aa271e57726bb357b3c18 6912
tomb_2.8+dfsg1-1.debian.tar.xz
009ccef150340f62ce701a1c70fb3f52eeda2841300de23d51b3420c6abb0d8f 6089
tomb_2.8+dfsg1-1_amd64.buildinfo
Files:
9d247bcbb0ddd39c8c7fe8f1a22029c5 2037 utils optional tomb_2.8+dfsg1-1.dsc
7602449ca461ad601184f3ccc415b0b2 1204976 utils optional
tomb_2.8+dfsg1.orig.tar.xz
b511ba153532723ef13efc1691375b84 6912 utils optional
tomb_2.8+dfsg1-1.debian.tar.xz
32f9ce62f33f4c4743c953ade6ed2717 6089 utils optional
tomb_2.8+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAl/BQyYWHGRlYm1haW50
QGctZS11LWUtci5kZQAKCRCt9Q7a+K3VhZNYD/9WUSibeBuJ4y33wo/myCKXSXKm
Dwo5x9G/m0r2FjzvcUvfksj6NLQKjo3uSKIaxFzvRYQ0WJ/cSRB7UZe5Zahz/Uj4
R3rqqUCNyUkdMD9mvYtLSomiyv9KSXJTxus0MX05WgP8uWdHeosNc55OgFodMiIR
929OxIkcVD1gtGW/fvoFw76tlqo5746EY5ZkyKkhUTuQt+fy1UVOBf5NDd+GCfK9
rngAAfyDFqr9BVNIjHEyXBsnhPr2PKzv8ZyI8GG71oeDlC7X3eNA0/nupiMbZIuP
CkJuawk9Ncf9hniNUWzEzZNCybxpbgT00Kem3p1imJgZJAob9CEgi4gofx4TOWFj
SxSh7COZvvceUDbIpb75gddcqWRG8vk2hs+Ld4p22ovS+ZxAAbZycVMnu2rknGwr
7olvtu0MaUYRex7HewgNC3WmiaNONTTMmc9UlN24KXP07Itk5rHOKZ+QAXSwrB9r
i/+mc4LSdw44ZGeASbMMsldFxZVwCfoLJNB1zZlz/KqrWk0vNZQdAlZ6zbBVnPrc
vcqt2yu7PJkUPT7ouwC/KTpoDA+74W5/9tVspjM48jzI87aiS0ABTEjdbZRDotDH
qSrNrzIFMno7VFqygtGblxs0UzL1gioTL8I5eqeottxKAIQczWfaZ9wnuCk1PK3k
hv09CnazDenE4tp/8Q==
=o+yP
-----END PGP SIGNATURE-----
--- End Message ---
