Bug#926555: unblock: yubico-piv-tool/1.7.0-1

[Paul Gevers]

Control: tags -1 moreinfo

On Sat, 06 Apr 2019 22:59:16 +0200 Nicolas Braud-Santoni
 wrote:
> The latest upstream release contains security-critical changes (see #926551).

Please be aware that without updates to that bug, your package will be
removed from buster soon. When that happens, your package will not be
allowed to migrate back in, so make sure you follow up, on that bug and
on this one.

> I apologise for the larger-than-necessary diff, which includes some packaging
> changes that were pending upload  :(

Those changes can be reverted. The worse problem here is that you're
bumping compat level here, that isn't allowed at this stage of the release.

However, the biggest part of the changes come from the new upstream
release. Not all changes by upstream in the changelog make sense to me
without further investigation. In bug 926551 you seem to know which
changes you want, how feasible is it to cherry-pick the security fixes
instead of pulling in the full new upstream? That would make reviewing
easier as your diff is big (the most likely reason why you didn't hear
from us earlier).

Paul



signature.asc
Description: OpenPGP digital signature

Bug#926555: unblock: yubico-piv-tool/1.7.0-1

[Nicolas Braud-Santoni]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package yubico-piv-tool

The latest upstream release contains security-critical changes (see #926551).

I apologise for the larger-than-necessary diff, which includes some packaging
changes that were pending upload  :(

The debdiff is enclosed; it isn't authoritative, as the package still needs to
be uploaded to sid (I accidentally let my signing key expire while ill, so this
is waiting on a sponsored upload...)


Best,

  nicoo

unblock yubico-piv-tool/1.7.0-1

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru yubico-piv-tool-1.6.2/ChangeLog yubico-piv-tool-1.7.0/ChangeLog
--- yubico-piv-tool-1.6.2/ChangeLog 2018-09-14 09:33:28.0 +0200
+++ yubico-piv-tool-1.7.0/ChangeLog 2019-04-03 09:53:53.0 +0200
@@ -1,3 +1,156 @@
+2019-04-03  Klas Lindfors 
+
+   * NEWS, configure.ac: NEWS for 1.7.0
+
+2019-04-03  Klas Lindfors 
+
+   * : commit 7b64528cf7ba87e803a3ed29c8ca877e88796e24 Author: Dave
+   Pate  Date:   Tue Jan 22 13:59:06 2019 -0800
+
+2019-01-22  Dave Pate 
+
+   * lib/internal.h, lib/ykpiv.c: lib: tlv length buffer checks
+
+2019-01-22  Dave Pate 
+
+   * lib/util.c: lib: handle realloc failures safely
+
+2019-01-22  Dave Pate 
+
+   * lib/util.c: lib: clear secrets in set_protected_mgm
+
+2019-01-22  Dave Pate 
+
+   * lib/ykpiv.c: lib: clear secrets in ykpiv_import_private_key
+
+2019-01-21  Dave Pate 
+
+   * lib/internal.h, lib/util.c: lib: correct zero memory defines,
+   correct overflow checks in _write_certificate
+
+2019-01-17  Dave Pate 
+
+   * lib/ykpiv.c: lib: clear secrets in auth api
+
+2019-01-17  Dave Pate 
+
+   * lib/ykpiv.c: lib: check that serial/version checks occur during
+   select
+
+2019-01-07  Dave Pate 
+
+   * lib/internal.c, lib/internal.h, lib/ykpiv.c: lib: define constant
+   for max pin len magic numbers lib: clear pin buffers when no longer
+   used
+
+2019-01-07  Dave Pate 
+
+   * lib/ykpiv.c: lib: check internal authentication crypt errors
+
+2019-01-07  Dave Pate 
+
+   * lib/internal.c, lib/ykpiv.c: lib: clear buffers containing key
+   material
+
+2019-01-07  Dave Pate 
+
+   * lib/internal.h, lib/util.c: lib: use secure zero memory platform
+   functions
+
+2019-01-07  Dave Pate 
+
+   * lib/util.c, lib/ykpiv.c: lib: resolves potential reads of
+   uninitialized data
+
+2019-03-06  pedro martelletto 
+
+   * doc/YubiKey_PIV_introduction.adoc: doc: set LC_CTYPE=C; fixes
+   ef81d164 on MacOS
+
+2019-03-06  Alessio Di Mauro 
+
+   * : Merge pull request #187 from Yubico/pvs_remove_warnings Remove some 
warnings
+
+2019-03-06  Gabriel Kihlman 
+
+   * ykcs11/ykcs11.c: Do not assign variable twice
+
+2019-03-06  Gabriel Kihlman 
+
+   * ykcs11/ykcs11.c: Remove duplicate check on op_info.type !=
+   YKCS11_SIGN
+
+2019-03-05  Klas Lindfors 
+
+   * : commit ef81d1646536d5d9f2056cdc78a4a1052e8851a7 Author: pedro
+   martelletto  Date:   Tue Mar 5 07:58:09 2019 +0100
+
+2019-02-20  Alessio Di Mauro 
+
+   * : Merge PR#184
+
+2019-02-18  Klas Lindfors 
+
+   * windows.mk: bump openssl version and don't include check binaries
+
+2019-02-15  Alessio Di Mauro 
+
+   * : Merge PR#183
+
+2019-02-15  Alessio Di Mauro 
+
+   * : Merge PR #182
+
+2019-01-07  Alessio Di Mauro 
+
+   * ykcs11/ykcs11.c: ykcs11: use a large enough buffer when writing EC
+   signatures
+
+2019-01-02  Klas Lindfors 
+
+   * : commit 811ddbb22d293aea6508d69bb7b98d8386fc8071 Author: Stacey
+   Sheldon  Date:   Tue Jan 1 01:43:51 2019
+   -0500
+
+2019-01-01  Stacey Sheldon 
+
+   * tools/fasc.pl: FASC-N: correct encoding of the packed 4-bit
+   decimal format with odd parity The BCD digits in the FASC-N credential 
are sent lsb first followed
+   by an odd parity.  Since this perl script is simply packing the bits
+   in their expected order, the encodings should exactly match figure 7
+   in "Technical Implementation Guidance: Smart Card Enabled Physical
+   Access Control Systems Version 2.2".
+
+2018-12-18  Klas Lindfors 
+
+   * tools/fasc.pl: fix fasc-n value of 1 relates #177
+
+2018-09-21  Klas Lindfors 
+
+   * : commit 898b85821cbfa2c0b841e46d39a45b42e9891bfd Author: Klas
+   Lindfors  Date:   Tue Sep 18 08:38:57 2018 +0200
+
+