subject:"Bug#751834\: iodine\: authentication bypass"

Bug#751834: iodine: authentication bypass

2014-06-17 Thread gregor herrmann

On Tue, 17 Jun 2014 06:57:18 +0200, Salvatore Bonaccorso wrote:

(Cc'ing upstream)

 There was a new upstream version for iodine released 

Ha! The Debian security team is quicker than my daily uscan cronjob
:)

 fixing an
 authentication bypass vulnerability.
 
 Upstream commit is at [1], but no CVE is yet assigned[2] so far.
 
  [1] 
 https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850
  [2] http://www.openwall.com/lists/oss-security/2014/06/16/5

Thanks!

I suppose we also need the fix in (old?-)stable; and it might also
make sense to upload the current 0.6 package with only this fix to
unstable with urgency high before looking into 0.7.0.

Unfortunately the patch doesn't apply cleanly (neither against
0.6.0~rc1-18 in Debian nor against the iodine-0.6 branch in upstream
git). I've tried to resolve the merge conflicts and came up with the
attached patch.

Could the two of you please take a look at it to check if it's sane?
-- Which it probably isn't since the tests fail now; or the test
suite needs more adoption as well ... *sigh*

#v+
   dh_auto_test
make[1]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1'
make[2]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1/src'
OS is LINUX, arch is x86_64
make[2]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1/src'
!! The check library is required for compiling and running the tests
!! Get it at http://check.sf.net
make[2]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1/tests'
CC test.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
test.c
CC base32.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
base32.c
CC base64.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
base64.c
CC read.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
read.c
CC dns.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
dns.c
CC encoding.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
encoding.c
CC login.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
login.c
CC user.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
user.c
CC fw_query.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -D`uname | tr a-z A-Z` -I../src 
-I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c 
fw_query.c
LD test
gcc -o test ../src/base32.o  ../src/base64.o ../src/read.o ../src/dns.o 
../src/encoding.o ../src/login.o ../src/md5.o ../src/user.o ../src/fw_query.o 
test.o base32.o base64.o read.o dns.o encoding.o login.o user.o fw_query.o 
-L/usr/local/lib -lcheck `pkg-config --cflags --libs check` `../src/osflags 
link`
Running suite(s): iodine
96%: Checks: 61, Failures: 2, Errors: 0
user.c:69:F:User:test_users_waiting:0: Assertion 'users_waiting_on_reply() == 
1' failed
user.c:96:F:User:test_find_user_by_ip:0: Assertion 'find_user_by_ip(testip) == 
-1' failed
Makefile:13: recipe for target 'all' failed
make[2]: *** [all] Error 1
make[2]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1/tests'
Makefile:53: recipe for target 'test' failed
make[1]: *** [test] Error 2
make[1]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1'
dh_auto_test: make -j1 test returned exit code 2
#v-

@Erik: Maybe you could also backport the fix to the iodine-0.6
branch?


Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT  SPI, fellow of the Free Software Foundation Europe
   `-   NP: Sophie Hunger: House of Gods
From b715be5cf3978fbe589b03b09c9398d0d791f850 Mon Sep 17 00:00:00 2001
From: Erik Ekman e...@kryo.se
Date: Mon, 16 Jun 2014 21:12:49 +0200
Subject: [PATCH] Fix authentication bypass bug

The client could bypass the password

Bug#751834: iodine: authentication bypass

2014-06-17 Thread gregor herrmann

Control: tag -1 + upstream fixed-upstream patch pending

On Tue, 17 Jun 2014 19:20:29 +0200, Erik Ekman wrote:

  @Erik: Maybe you could also backport the fix to the iodine-0.6
  branch?
 I pushed an 0.6.0 with the fix here:
 https://github.com/yarrick/iodine/tree/iodine-0.6.0
 No tarball is built though.
 Fix is
 https://github.com/yarrick/iodine/commit/9e265625a1ac8aafbe2812c67de7ddbbf1793a0e

Yay \o/
Thanks alot.

Commit taken, applied as a patch to the Debian package, and the tests
pass.

 I will go on 3.5 week vacation tomorrow, so I will be mostly unreachable.
 Good luck :)

Enjoy your vacation!


Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT  SPI, fellow of the Free Software Foundation Europe
   `-   


signature.asc
Description: Digital Signature

Processed: Re: Bug#751834: iodine: authentication bypass

2014-06-17 Thread Debian Bug Tracking System

Processing control commands:

 tag -1 + upstream fixed-upstream patch pending
Bug #751834 [src:iodine] iodine: authentication bypass
Added tag(s) pending.

-- 
751834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751834
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#751834: iodine: authentication bypass

2014-06-16 Thread Salvatore Bonaccorso

Source: iodine
Version: 0.6.0~rc1-2
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole

Hi Gregor,

There was a new upstream version for iodine released fixing an
authentication bypass vulnerability.

Upstream commit is at [1], but no CVE is yet assigned[2] so far.

 [1] 
https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850
 [2] http://www.openwall.com/lists/oss-security/2014/06/16/5

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#751834: iodine: authentication bypass

Bug#751834: iodine: authentication bypass

Processed: Re: Bug#751834: iodine: authentication bypass

Bug#751834: iodine: authentication bypass

4 matches

Site Navigation

Mail list logo

Footer information