Bug#922442: There is a security weakness in p7zip password encryption. IV for AES-CBC is generated from a very poor RNG (poorly seeded) and half of it is always zeroes.

2019-12-30 Thread Klint Yeastmood 
Hi, has this bug been fixed? After browsing the source at
https://salsa.debian.org/debian/p7zip it looks to me like it hasn't...

The bug has been reported to Igor Pavlov
(https://sourceforge.net/p/sevenzip/bugs/2176/) and there is a patch
available for p7zip 16.02 backported from 7-Zip 19.00 - see the bug
report.

Thanks

Bug#922442: There is a security weakness in p7zip password encryption. IV for AES-CBC is generated from a very poor RNG (poorly seeded) and half of it is always zeroes.

2019-02-15 Thread 3lbios 
Package: p7zip
Version: 9.20.1~dfsg.1-4.1+deb8u3
Severity: normal
Tags: security patch



-- System Information:
Distributor ID: Raspbian
Description:Raspbian GNU/Linux 8.0 (jessie)
Release:8.0
Codename:   jessie
Architecture: armv6l

Kernel: Linux 4.14.90+
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages p7zip depends on:
ii  libc6   2.19-18+deb8u10
ii  libgcc1 1:4.9.2-10+deb8u2
ii  libstdc++6  4.9.2-10+deb8u2

p7zip recommends no packages.

Versions of packages p7zip suggests:
pn  p7zip-full  

-- no debconf information
>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek 
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
 IV.

Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 1 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
 CPP/7zip/Crypto/7zAes.cpp   | 2 +-
 CPP/7zip/Crypto/RandGen.cpp | 9 +
 CPP/7zip/Crypto/WzAes.cpp   | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
 {
   for (unsigned i = 0; i < sizeof(_iv); i++)
 _iv[i] = 0;
-  _ivSize = 8;
+  _ivSize = 16;
   g_RandomGenerator.Generate(_iv, _ivSize);
   return S_OK;
 }
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
 
 #ifndef _WIN32
 #include 
+#include 
+#include 
 #define USE_POSIX_TIME
 #define USE_POSIX_TIME2
 #endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
 LARGE_INTEGER v;
 if (::QueryPerformanceCounter())
   HASH_UPD(v.QuadPart);
+#else
+// get real randomness from the OS and mix it in
+uint64_t randbytes;
+ssize_t rv = 0;
+while (rv != sizeof(randbytes))
+  rv = getrandom((void *), sizeof(randbytes), 0);
+HASH_UPD(randbytes);
 #endif
 
 #ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
 
 const unsigned kAesKeySizeMax = 32;
 
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 1;
 
 STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
 {
-- 
2.17.1

>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek 
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
 IV.

Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 1 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
 CPP/7zip/Crypto/7zAes.cpp   | 2 +-
 CPP/7zip/Crypto/RandGen.cpp | 9 +
 CPP/7zip/Crypto/WzAes.cpp   | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
 {
   for (unsigned i = 0; i < sizeof(_iv); i++)
 _iv[i] = 0;
-  _ivSize = 8;
+  _ivSize = 16;
   g_RandomGenerator.Generate(_iv, _ivSize);
   return S_OK;
 }
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
 
 #ifndef _WIN32
 #include 
+#include 
+#include 
 #define USE_POSIX_TIME
 #define USE_POSIX_TIME2
 #endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
 LARGE_INTEGER v;
 if (::QueryPerformanceCounter())
   HASH_UPD(v.QuadPart);
+#else
+// get real randomness from the OS and mix it in
+uint64_t randbytes;
+ssize_t rv = 0;
+while (rv != sizeof(randbytes))
+  rv = getrandom((void *), sizeof(randbytes), 0);
+HASH_UPD(randbytes);
 #endif
 
 #ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
 
 const unsigned kAesKeySizeMax = 32;
 
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 1;
 
 STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
 {
-- 
2.17.1

>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek 
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG