On Tue, Oct 30, 2012 at 06:21:07PM +0100, Moritz Muehlenhoff wrote:
On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote:
On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote:
Please see the thread starting at
http://www.openwall.com/lists/oss-security/2012/09/07/2
for details.
I've had a quick look at this bug to see if it can be fixed in Debian.
There are four patches referenced in the thread (I haven't verified if
there are more patches required):
-
http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
32 files changed, 182 insertions(+), 1166 deletions(-)
This change is huge and mainly seems to be quivalent to setting
SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few
other changes in there which may be due to the removal of the
compatibility code.
This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed
to manually fix it (attached is a version if anyone is interested).
-
http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
31 files changed, 2975 insertions(+), 280 deletions(-)
Lots of changes in the tests but it also seems to contain some
cleanups related to the previous change, a change from lock_shm() to
XProcLock(), some moving of locks to /var/lock and a few other
changes.
-
http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
23 files changed, 449 insertions(+), 99 deletions(-)
Includes a FAQ typo fix and the introduction of a lot of new code.
-
http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
1 files changed, 3 insertions(+), 3 deletions(-)
Very small change in the Makfile which creates the lock directory.
Should not be relevant for Debian because subdirectories of /var/lock
should be created on the fly.
The changes are huge and can probably not be easily backported to
Debian's 2.3.1. A few other options come to mind:
- see if upstream can provide patches for 2.3.1
- see if the necessary fixes can be made some other way
- upgrade to upstream 2.4.2
- remove from wheezy
(the only reverse dependency for opencryptoki seems to be tpm-tools)
Anyway, I don't think I can do much more for this bug because I'm afraid
it will take a little more time than I have available at the moment. I
was having a look and I though I would just add my notes to the bug log.
Good luck with this bug! ;)
Removing opencryptoki from Wheezy seems best to me. We should't keep
outdated crypto toolkits without an active maintainer in the archive.
CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools
is usable withput opencryptoki or whether he's interested in adopting
it himself.
Hi,
IMHO the best solution would be to upgrade opencryptoki, including
Wheezy. Trying to backport many patches will be complex to maintain and
will create a version that could be very different from upstream,
leading to bugs (on functionalities, and security).
tpm-tools can be compiled without opencryptoki, but this would disable
the pkcs#11 support and so loose some functionalities. Except the
dependency in debian/control, there should not be any other changes to
be done.
Cheers,
Pierre
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
