Your message dated Sat, 14 Jul 2018 11:21:20 +0100
with message-id <1531563680.2095.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.5
has caused the Debian Bug report #895766,
regarding stretch-pu: package tlslite-ng/0.6.0-1+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
895766: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895766
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
I hereby propose an update for stable/stretch of tlslite-ng. It contains
a patch fixing CVE-2018-1000159 [1]. The security issue was marked as being
no-dsa [2]. Please see the attached debdiff for details.
Thanks,
Daniel Stender
[1] https://bugs.debian.org/895728
[2] https://security-tracker.debian.org/tracker/CVE-2018-1000159
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tlslite-ng-0.6.0/debian/changelog tlslite-ng-0.6.0/debian/changelog
--- tlslite-ng-0.6.0/debian/changelog 2016-11-16 16:32:34.000000000 +0100
+++ tlslite-ng-0.6.0/debian/changelog 2018-04-15 20:53:39.000000000 +0200
@@ -1,3 +1,10 @@
+tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium
+
+ * add verify-mac-even-if-the-padding-is-1-byte-long.patch,
+ providing fix for CVE-2018-1000159 (Closes: #895728).
+
+ -- Daniel Stender <sten...@debian.org> Sun, 15 Apr 2018 20:53:39 +0200
+
tlslite-ng (0.6.0-1) unstable; urgency=medium
* New upstream release:
diff -Nru tlslite-ng-0.6.0/debian/patches/series
tlslite-ng-0.6.0/debian/patches/series
--- tlslite-ng-0.6.0/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ tlslite-ng-0.6.0/debian/patches/series 2018-04-15 20:53:37.000000000
+0200
@@ -0,0 +1 @@
+verify-mac-even-if-the-padding-is-1-byte-long.patch
diff -Nru
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
---
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
1970-01-01 01:00:00.000000000 +0100
+++
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
2018-04-15 20:45:32.000000000 +0200
@@ -0,0 +1,67 @@
+From 3674815d1b0f7484454995e2737a352e0a6a93d8 Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hka...@redhat.com>
+Date: Tue, 27 Mar 2018 15:26:18 +0200
+Subject: [PATCH] verify the mac even if the padding is 1 byte long
+
+off-by-one error on mac checking, if the padding is of
+minimal length (a single 0x00 byte), the mac is not
+checked and thus the return value is never falsified
+
+this fixes the issue
+---
+ tlslite/utils/constanttime.py | 2 +-
+ unit_tests/test_tlslite_utils_constanttime.py | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/tlslite/utils/constanttime.py b/tlslite/utils/constanttime.py
+index 60322c14..d4f5b1ce 100644
+--- a/tlslite/utils/constanttime.py
++++ b/tlslite/utils/constanttime.py
+@@ -170,7 +170,7 @@ def ct_check_cbc_mac_and_pad(data, mac, seqnumBytes,
contentType, version):
+ data_mac.update(compatHMAC(data[:start_pos]))
+
+ # don't check past the array end (already checked to be >= zero)
+- end_pos = data_len - 1 - mac.digest_size
++ end_pos = data_len - mac.digest_size
+
+ # calculate all possible
+ for i in range(start_pos, end_pos): # constant for given overall length
+diff --git a/unit_tests/test_tlslite_utils_constanttime.py
b/unit_tests/test_tlslite_utils_constanttime.py
+index 0edaf3f4..0a6446d0 100644
+--- a/unit_tests/test_tlslite_utils_constanttime.py
++++ b/unit_tests/test_tlslite_utils_constanttime.py
+@@ -16,6 +16,7 @@
+ from hypothesis import given, example
+ import hypothesis.strategies as st
+ from tlslite.utils.compat import compatHMAC
++from tlslite.utils.cryptomath import getRandomBytes
+ from tlslite.recordlayer import RecordLayer
+ import tlslite.utils.tlshashlib as hashlib
+ import hmac
+@@ -266,6 +267,26 @@ def test_with_invalid_hash(self):
+ self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
+ content_type, version))
+
++ @given(i=st.integers(1, 20))
++ def test_with_invalid_random_hash(self, i):
++ key = compatHMAC(getRandomBytes(20))
++ seqnum_bytes = bytearray(16)
++ content_type = 0x15
++ version = (3, 3)
++ application_data = getRandomBytes(63)
++ mac = hashlib.sha1
++
++ data = self.data_prepare(application_data, seqnum_bytes, content_type,
++ version, mac, key)
++ data[-i] ^= 0xff
++ padding = bytearray(b'\x00')
++ data += padding
++
++ h = hmac.new(key, digestmod=mac)
++ h.block_size = mac().block_size
++ self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
++ content_type, version))
++
+ def test_with_invalid_pad(self):
+ key = compatHMAC(bytearray(20))
+ seqnum_bytes = bytearray(16)
--- End Message ---
--- Begin Message ---
Version: 9.5
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
