Your message dated Sat, 14 Jan 2017 12:37:03 +0000 with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk> and subject line Closing requests included in today's point release has caused the Debian Bug report #849698, regarding jessie-pu: package python-crypto/2.6.1-5+deb8u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 849698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849698 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu Hi I'd like to fix CVE-2013-7459 (#849495) in jessie via the next point release. The issue was marked as no-dsa. The proposed debdiff is attached. The same patch was applied to the package in unstable. Cheers -- Sebastian Ramacherdiff --git a/debian/changelog b/debian/changelog index ecee2bf..0a58374 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +python-crypto (2.6.1-5+deb8u1) jessie; urgency=high + + [ Salvatore Bonaccorso ] + * Throw exception when IV is used with ECB or CTR (CVE-2013-7459) + (Closes: #849495) + + -- Sebastian Ramacher <sramac...@debian.org> Thu, 29 Dec 2016 18:03:48 +0100 + python-crypto (2.6.1-5) unstable; urgency=medium * debian/patches/asn1-decoding.patch: Fix TypeError in ASN1 implementation. diff --git a/debian/patches/CVE-2013-7459.patch b/debian/patches/CVE-2013-7459.patch new file mode 100644 index 0000000..f7c6d81 --- /dev/null +++ b/debian/patches/CVE-2013-7459.patch @@ -0,0 +1,84 @@ +From 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 Mon Sep 17 00:00:00 2001 +From: Legrandin <helder...@gmail.com> +Date: Sun, 22 Dec 2013 22:24:46 +0100 +Subject: [PATCH] Throw exception when IV is used with ECB or CTR + +The IV parameter is currently ignored when initializing +a cipher in ECB or CTR mode. + +For CTR mode, it is confusing: it takes some time to see +that a different parameter is needed (the counter). + +For ECB mode, it is outright dangerous. + +This patch forces an exception to be raised. +--- + lib/Crypto/SelfTest/Cipher/common.py | 31 +++++++++++++++++++++++-------- + src/block_template.c | 11 +++++++++++ + 2 files changed, 34 insertions(+), 8 deletions(-) + +--- a/lib/Crypto/SelfTest/Cipher/common.py ++++ b/lib/Crypto/SelfTest/Cipher/common.py +@@ -239,19 +239,34 @@ class RoundtripTest(unittest.TestCase): + return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,) + + def runTest(self): +- for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP): ++ ++ ## ECB mode ++ mode = self.module.MODE_ECB ++ encryption_cipher = self.module.new(a2b_hex(self.key), mode) ++ ciphertext = encryption_cipher.encrypt(self.plaintext) ++ decryption_cipher = self.module.new(a2b_hex(self.key), mode) ++ decrypted_plaintext = decryption_cipher.decrypt(ciphertext) ++ self.assertEqual(self.plaintext, decrypted_plaintext) ++ ++ ## OPENPGP mode ++ mode = self.module.MODE_OPENPGP ++ encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) ++ eiv_ciphertext = encryption_cipher.encrypt(self.plaintext) ++ eiv = eiv_ciphertext[:self.module.block_size+2] ++ ciphertext = eiv_ciphertext[self.module.block_size+2:] ++ decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv) ++ decrypted_plaintext = decryption_cipher.decrypt(ciphertext) ++ self.assertEqual(self.plaintext, decrypted_plaintext) ++ ++ ## All other non-AEAD modes (but CTR) ++ for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB): + encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) + ciphertext = encryption_cipher.encrypt(self.plaintext) +- +- if mode != self.module.MODE_OPENPGP: +- decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) +- else: +- eiv = ciphertext[:self.module.block_size+2] +- ciphertext = ciphertext[self.module.block_size+2:] +- decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv) ++ decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) + decrypted_plaintext = decryption_cipher.decrypt(ciphertext) + self.assertEqual(self.plaintext, decrypted_plaintext) + ++ + class PGPTest(unittest.TestCase): + def __init__(self, module, params): + unittest.TestCase.__init__(self) +--- a/src/block_template.c ++++ b/src/block_template.c +@@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, P + "Key cannot be the null string"); + return NULL; + } ++ if (IVlen != 0 && mode == MODE_ECB) ++ { ++ PyErr_Format(PyExc_ValueError, "ECB mode does not use IV"); ++ return NULL; ++ } ++ if (IVlen != 0 && mode == MODE_CTR) ++ { ++ PyErr_Format(PyExc_ValueError, ++ "CTR mode needs counter parameter, not IV"); ++ return NULL; ++ } + if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR) + { + PyErr_Format(PyExc_ValueError, diff --git a/debian/patches/series b/debian/patches/series index e077da9..191ab43 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ multiprocessing-test.patch unittest-stream.patch deprecated-test-methods.patch asn1-decoding.patch +CVE-2013-7459.patchsignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Version: 8.7 Hi, Each of these bugs refers to an update that was included in today's 8.7 point release. Regards, Adam
--- End Message ---