Your message dated Wed, 24 Jan 2024 18:39:16 +0100
with message-id <[email protected]>
and subject line Re: Bug#922442: There is a security weakness in p7zip password
encryption. IV for AES-CBC is generated from a very poor RNG (poorly seeded)
and half of it is always zeroes.
has caused the Debian Bug report #922442,
regarding There is a security weakness in p7zip password encryption. IV for
AES-CBC is generated from a very poor RNG (poorly seeded) and half of it is
always zeroes.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
922442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922442
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: p7zip
Version: 9.20.1~dfsg.1-4.1+deb8u3
Severity: normal
Tags: security patch
-- System Information:
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 8.0 (jessie)
Release: 8.0
Codename: jessie
Architecture: armv6l
Kernel: Linux 4.14.90+
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages p7zip depends on:
ii libc6 2.19-18+deb8u10
ii libgcc1 1:4.9.2-10+deb8u2
ii libstdc++6 4.9.2-10+deb8u2
p7zip recommends no packages.
Versions of packages p7zip suggests:
pn p7zip-full <none>
-- no debconf information
>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek <[email protected]>
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
IV.
Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 10000 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
CPP/7zip/Crypto/7zAes.cpp | 2 +-
CPP/7zip/Crypto/RandGen.cpp | 9 +++++++++
CPP/7zip/Crypto/WzAes.cpp | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
{
for (unsigned i = 0; i < sizeof(_iv); i++)
_iv[i] = 0;
- _ivSize = 8;
+ _ivSize = 16;
g_RandomGenerator.Generate(_iv, _ivSize);
return S_OK;
}
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
#ifndef _WIN32
#include <unistd.h>
+#include <sys/random.h>
+#include <stdint.h>
#define USE_POSIX_TIME
#define USE_POSIX_TIME2
#endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
LARGE_INTEGER v;
if (::QueryPerformanceCounter(&v))
HASH_UPD(v.QuadPart);
+ #else
+ // get real randomness from the OS and mix it in
+ uint64_t randbytes;
+ ssize_t rv = 0;
+ while (rv != sizeof(randbytes))
+ rv = getrandom((void *)&randbytes, sizeof(randbytes), 0);
+ HASH_UPD(randbytes);
#endif
#ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
const unsigned kAesKeySizeMax = 32;
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 10000;
STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
{
--
2.17.1
>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek <[email protected]>
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
IV.
Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 10000 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
CPP/7zip/Crypto/7zAes.cpp | 2 +-
CPP/7zip/Crypto/RandGen.cpp | 9 +++++++++
CPP/7zip/Crypto/WzAes.cpp | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
{
for (unsigned i = 0; i < sizeof(_iv); i++)
_iv[i] = 0;
- _ivSize = 8;
+ _ivSize = 16;
g_RandomGenerator.Generate(_iv, _ivSize);
return S_OK;
}
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
#ifndef _WIN32
#include <unistd.h>
+#include <sys/random.h>
+#include <stdint.h>
#define USE_POSIX_TIME
#define USE_POSIX_TIME2
#endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
LARGE_INTEGER v;
if (::QueryPerformanceCounter(&v))
HASH_UPD(v.QuadPart);
+ #else
+ // get real randomness from the OS and mix it in
+ uint64_t randbytes;
+ ssize_t rv = 0;
+ while (rv != sizeof(randbytes))
+ rv = getrandom((void *)&randbytes, sizeof(randbytes), 0);
+ HASH_UPD(randbytes);
#endif
#ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
const unsigned kAesKeySizeMax = 32;
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 10000;
STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
{
--
2.17.1
>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek <[email protected]>
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
IV.
Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 10000 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
CPP/7zip/Crypto/7zAes.cpp | 2 +-
CPP/7zip/Crypto/RandGen.cpp | 9 +++++++++
CPP/7zip/Crypto/WzAes.cpp | 2 +-
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
{
for (unsigned i = 0; i < sizeof(_iv); i++)
_iv[i] = 0;
- _ivSize = 8;
+ _ivSize = 16;
g_RandomGenerator.Generate(_iv, _ivSize);
return S_OK;
}
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
#ifndef _WIN32
#include <unistd.h>
+#include <sys/random.h>
+#include <stdint.h>
#define USE_POSIX_TIME
#define USE_POSIX_TIME2
#endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
LARGE_INTEGER v;
if (::QueryPerformanceCounter(&v))
HASH_UPD(v.QuadPart);
+ #else
+ // get real randomness from the OS and mix it in
+ uint64_t randbytes;
+ ssize_t rv = 0;
+ while (rv != sizeof(randbytes))
+ rv = getrandom((void *)&randbytes, sizeof(randbytes), 0);
+ HASH_UPD(randbytes);
#endif
#ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
const unsigned kAesKeySizeMax = 32;
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 10000;
STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
{
--
2.17.1
--- End Message ---
--- Begin Message ---
Source: p7zip
Source-Version: 16.02+transitional.1
Klint Yeastmood pisze:
Hi, has this bug been fixed? After browsing the source at
https://salsa.debian.org/debian/p7zip it looks to me like it hasn't...
p7zip is now a transational package that depends on 7zip package, in
which the bug is already fixed.
Regards,
robert
--- End Message ---
