Bug#1065261: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u3

2024-03-25 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2024-03-02 at 11:15 +0100, David Prévot wrote:
> I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the
> next
> point release. We agreed with the security team that these issues are
> not worth a DSA. This update also fixes an issue in dependency
> loading
> similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.

Please go ahead.

Regards,

Adam

Bug#1065261: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u3

2024-03-02 Thread David Prévot 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpsecl...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib3
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit
diff -Nru php-phpseclib3-3.0.19/debian/autoload.php.tpl php-phpseclib3-3.0.19/debian/autoload.php.tpl
--- php-phpseclib3-3.0.19/debian/autoload.php.tpl	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/autoload.php.tpl	2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,31 @@
+  Tue, 27 Feb 2024 21:58:00 +0100
+
 php-phpseclib3 (3.0.19-1+deb12u2) bookworm-security; urgency=medium
 
   * Backport upstream SSH2 changes
diff -Nru php-phpseclib3-3.0.19/debian/clean php-phpseclib3-3.0.19/debian/clean
--- php-phpseclib3-3.0.19/debian/clean	2023-12-31 12:13:49.0 +0100
+++ php-phpseclib3-3.0.19/debian/clean	2024-02-27 21:58:00.0 +0100
@@ -1,6 +1,7 @@
-debian/autoload.php.tpl
 debian/autoload.tests.php.tpl
+ParagonIE
 phpseclib/autoload.php
 phpseclib3
+random_compat
 tests/.phpunit.result.cache
 vendor/
diff -Nru php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0011-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,42 @@
+From: terrafrost 
+Date: Sat, 24 Feb 2024 08:38:47 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/0358eb163c55a9fd7b3848b9ecc83f6b9e49dbf5
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger/Engines/Engine.php | 14 ++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/phpseclib/Math/BigInteger/Engines/Engine.php b/phpseclib/Math/BigInteger/Engines/Engine.php
+index 2b00bc3..3a735e7 100644
+--- a/phpseclib/Math/BigInteger/Engines/Engine.php
 b/phpseclib/Math/BigInteger/Engines/Engine.php
+@@ -781,6 +781,11 @@ abstract class Engine implements \JsonSerializable
+ $min = $temp;
+ }
+ 
++$length = $max->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Generation of random prime numbers larger than 8196 has been disabled ($length)");
++}
++
+ $x = static::randomRange($min, $max);
+ 
+ return static::randomRangePrimeInner($x, $min, $max);
+@@ -985,6 +990,15 @@ abstract class Engine implements \JsonSerializable
+  */
+ public function isPrime($t = false)
+ {
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++$length = $this->getLength();
++if ($length > 8196) {
++throw new \RuntimeException("Primality testing is not supported for numbers larger than 8196 bits ($length)");
++}
++
+ if (!$t) {
+ $t = $this->setupIsPrime();
+ }
diff -Nru php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch
--- php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0012-Tests-add-unit-test-for-EC-pub-key-with-excessively-.patch	2024-02-27 21:58:00.0 +0100
@@ -0,0 +1,46 @@
+From: terrafrost 
+Date: Sat, 24 Feb 2024 08:42:27 -0600
+Subject: Tests: add unit test for EC pub key with excessively large integer
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/e17409a3e39baf7c8ed9635c04130802463b117b
+---
+ tests/Unit/File/X509/X509Test.php|  12 
+ tests/Unit/File/X509/mal-cert-01.der | Bin 0 ->