On Tue, 17 Jun 2014 06:57:18 +0200, Salvatore Bonaccorso wrote:
(Cc'ing upstream)
There was a new upstream version for iodine released
Ha! The Debian security team is quicker than my daily uscan cronjob
:)
fixing an
authentication bypass vulnerability.
Upstream commit is at [1], but no CVE is yet assigned[2] so far.
[1]
https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850
[2] http://www.openwall.com/lists/oss-security/2014/06/16/5
Thanks!
I suppose we also need the fix in (old?-)stable; and it might also
make sense to upload the current 0.6 package with only this fix to
unstable with urgency high before looking into 0.7.0.
Unfortunately the patch doesn't apply cleanly (neither against
0.6.0~rc1-18 in Debian nor against the iodine-0.6 branch in upstream
git). I've tried to resolve the merge conflicts and came up with the
attached patch.
Could the two of you please take a look at it to check if it's sane?
-- Which it probably isn't since the tests fail now; or the test
suite needs more adoption as well ... *sigh*
#v+
dh_auto_test
make[1]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1'
make[2]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1/src'
OS is LINUX, arch is x86_64
make[2]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1/src'
!! The check library is required for compiling and running the tests
!! Get it at http://check.sf.net
make[2]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1/tests'
CC test.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
test.c
CC base32.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
base32.c
CC base64.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
base64.c
CC read.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
read.c
CC dns.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
dns.c
CC encoding.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
encoding.c
CC login.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
login.c
CC user.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
user.c
CC fw_query.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D`uname | tr a-z A-Z` -I../src
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c
fw_query.c
LD test
gcc -o test ../src/base32.o ../src/base64.o ../src/read.o ../src/dns.o
../src/encoding.o ../src/login.o ../src/md5.o ../src/user.o ../src/fw_query.o
test.o base32.o base64.o read.o dns.o encoding.o login.o user.o fw_query.o
-L/usr/local/lib -lcheck `pkg-config --cflags --libs check` `../src/osflags
link`
Running suite(s): iodine
96%: Checks: 61, Failures: 2, Errors: 0
user.c:69:F:User:test_users_waiting:0: Assertion 'users_waiting_on_reply() ==
1' failed
user.c:96:F:User:test_find_user_by_ip:0: Assertion 'find_user_by_ip(testip) ==
-1' failed
Makefile:13: recipe for target 'all' failed
make[2]: *** [all] Error 1
make[2]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1/tests'
Makefile:53: recipe for target 'test' failed
make[1]: *** [test] Error 2
make[1]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1'
dh_auto_test: make -j1 test returned exit code 2
#v-
@Erik: Maybe you could also backport the fix to the iodine-0.6
branch?
Cheers,
gregor
--
.''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/
`. `' Member of VIBE!AT SPI, fellow of the Free Software Foundation Europe
`- NP: Sophie Hunger: House of Gods
From b715be5cf3978fbe589b03b09c9398d0d791f850 Mon Sep 17 00:00:00 2001
From: Erik Ekman e...@kryo.se
Date: Mon, 16 Jun 2014 21:12:49 +0200
Subject: [PATCH] Fix authentication bypass bug
The client could bypass the password