Re: Wheezy update of libmad?

2018-05-11 Thread Kurt Roeckx
On Fri, May 11, 2018 at 09:25:17AM +0200, Emilio Pozuelo Monfort wrote:
> Hi Kurt,
> 
> On 30/01/18 21:59, Kurt Roeckx wrote:
> > On Tue, Jan 30, 2018 at 08:33:53PM +0100, Ola Lundqvist wrote:
> >> Dear maintainers,
> >>
> >> The Debian LTS team would like to fix the security issues which are
> >> currently open in the Wheezy version of libmad:
> >> https://security-tracker.debian.org/tracker/CVE-2017-8372
> >> https://security-tracker.debian.org/tracker/CVE-2017-8373
> >> https://security-tracker.debian.org/tracker/CVE-2017-8374
> >>
> >> Would you like to take care of this yourself?
> > 
> > I will take care of them myself.
> 
> I see that the update happened for jessie/stretch. wheezy has the same 
> upstream
> version as jessie so the patches should apply cleanly there. I suppose you are
> doing the update but if you lack the time let me know and I can help.

I'm still unable to do build packages for wheezy, so if you can
help with it that would be great. It's really the same patches that
were applied to all other versions.


Kurt



Re: Wheezy update of libmad?

2018-01-30 Thread Kurt Roeckx
On Tue, Jan 30, 2018 at 08:33:53PM +0100, Ola Lundqvist wrote:
> Dear maintainers,
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libmad:
> https://security-tracker.debian.org/tracker/CVE-2017-8372
> https://security-tracker.debian.org/tracker/CVE-2017-8373
> https://security-tracker.debian.org/tracker/CVE-2017-8374
> 
> Would you like to take care of this yourself?

I will take care of them myself.


Kurt



Re: Security update of OpenSSL 1.0.1t-1+deb7u3

2017-11-08 Thread Kurt Roeckx
On Wed, Nov 08, 2017 at 11:22:24PM +0100, Markus Koschany wrote:
> Am 08.11.2017 um 23:04 schrieb Kurt Roeckx:
> > On Wed, Nov 08, 2017 at 10:07:57PM +0100, Markus Koschany wrote:
> >> Hello Kurt,
> >>
> >> we saw that you reserved a DLA number for OpenSSL last week but the new
> >> version 1.0.1t-1+deb7u3 has not been uploaded yet. Is there anything we
> >> can do to assist you?
> > 
> > The package has been ready in svn since then. But I have a problem
> > going into my wheezy chroot. I've been told I need to booth with
> > vsyscall emulation turned on, but I haven't had time to reboot
> > yet.
> 
> Shall I checkout the wheezy branch and revision 922 and upload the
> package right now? You just have to send the DLA to the
> debian-lts-announce mailing list but I can take care of that as well if
> you wish.

I just fixed something in revision 931. I've put a .dsc at:
https://people.debian.org/~kroeckx/openssl/openssl_1.0.1t-1+deb7u3.dsc

Feel free to upload that and send the announcement.


Kurt



Re: Security update of OpenSSL 1.0.1t-1+deb7u3

2017-11-08 Thread Kurt Roeckx
On Wed, Nov 08, 2017 at 10:07:57PM +0100, Markus Koschany wrote:
> Hello Kurt,
> 
> we saw that you reserved a DLA number for OpenSSL last week but the new
> version 1.0.1t-1+deb7u3 has not been uploaded yet. Is there anything we
> can do to assist you?

The package has been ready in svn since then. But I have a problem
going into my wheezy chroot. I've been told I need to booth with
vsyscall emulation turned on, but I haven't had time to reboot
yet.


Kurt



Re: [pkg-mad-maintainers] Wheezy update of libmad?

2017-08-07 Thread Kurt Roeckx
On Mon, Aug 07, 2017 at 07:39:34AM -0400, Chris Lamb wrote:
> Dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libmad:
> https://security-tracker.debian.org/tracker/source-package/libmad
> 
> Would you like to take care of this yourself?

This is not fixed in any of the suites, there is no patch
available yet. If I have a patch I will upload it to all suites.


Kurt



Re: should ca-certificates certdata.txt synchronize across all suites?

2017-07-22 Thread Kurt Roeckx
On Fri, Jul 21, 2017 at 04:47:23PM -0400, Antoine Beaupré wrote:
> On 2017-07-21 22:19:20, Philipp Kern wrote:
> > My point was that you state what your delta is and essentially boils 
> > down to attach the diff of what will actually happen to the .deb. I 
> > think it's generally fine to add new CAs and remove fully distrusted 
> > ones, instead of saying "it should just be in sync with unstable". The 
> > latter contains a lot more nuance if you know that some of the rules are 
> > only available in code.
> 
> Thank you for taking the time to clarify your position, I understand it
> much better now. :)
> 
> Makes perfect sense, I'll try to be clearer in future communications to
> avoid such confusion.

Mozilla has various extra distrust/partial trust rules that are now
coded in either NSS or Firefox itself. But we're not even using the
distrust/partial trust information currently in certdata.txt.

Other than what is in certdata.txt + code, there are also
certificates that are distrusted by using OneCRL.

I currently see no reason not to ship certdata.txt in all
distributions.

In any case, I think we should try to implement all the rules that
Mozilla applies in all software that deals with certificate. And
at least Mozilla is interested in that, and at least some of the
OpenSSL people would also like to see OpenSSL have more checks
than that currently happen.


Kurt



Re: Wheezy update of ntp?

2017-03-22 Thread Kurt Roeckx
On Wed, Mar 22, 2017 at 09:02:16PM +0100, Ola Lundqvist wrote:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of ntp:
> https://security-tracker.debian.org/tracker/CVE-2017-6460
> https://security-tracker.debian.org/tracker/CVE-2017-6463
> https://security-tracker.debian.org/tracker/CVE-2017-6464

Are you really asking again hours after those CVEs have been made
public, and it's not fixed yet in any other branch?

> Would you like to take care of this yourself?

Yes, like always, I will do this myself.


Kurt



Re: openssl wheezy update

2017-01-31 Thread Kurt Roeckx
On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote:
> Hi Kurt,
> 
> I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I 
> have
> done some smoke testing on it and it seems fine, but I haven't been able to
> verify the three fixes as I can't find exploits for them (there is mention of
> one for CVE-2016-8610 in [1] but I can't find the actual file).
> 
> Do you have any suggestion for how to verify / test the update?
> 
> Do you want to upload this or should I take care of it?

Feel free to upload this.

The usptream version in jessie and wheezy, so the patches should
just apply.

I only have a test for the 32 bit crashes. It would require to get
the fuzzers working in the 1.0.1 version, which should be that
hard.

The other would be a cache timing attack, and I really have no
good way to test that.

I suggest you just upload it.


Kurt



Re: [pkg-ntp-maintainers] Wheezy update of ntp?

2016-11-21 Thread Kurt Roeckx
On Mon, Nov 21, 2016 at 11:13:13PM +0100, Ola Lundqvist wrote:
> Hello dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of ntp:
> https://security-tracker.debian.org/tracker/CVE-2016-7426
> https://security-tracker.debian.org/tracker/CVE-2016-7427
> https://security-tracker.debian.org/tracker/CVE-2016-7428
> https://security-tracker.debian.org/tracker/CVE-2016-7434
> https://security-tracker.debian.org/tracker/CVE-2016-9310
> https://security-tracker.debian.org/tracker/CVE-2016-9311
> https://security-tracker.debian.org/tracker/CVE-2016-9312

You mean those that were published today?

> Would you like to take care of this yourself?

If I fix them for stable, I'll also fix them for oldstable. It's
the same upstream version, the patches are identical.

But I just have a new tarball, and diffstat shows:
 187 files changed, 8094 insertions(+), 4295 deletions(-)

And bitkeeper and the git don't have any of the patches.
(Even if they did, it would be non-obvious which commits you need,
they are really good like that.)


Kurt



Re: Wheezy update of openssl?

2016-11-01 Thread Kurt Roeckx
On Tue, Nov 01, 2016 at 03:09:06PM +0100, Guido Günther wrote:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of openssl:
> https://security-tracker.debian.org/tracker/CVE-2016-8610

I will fix this soon.


Kurt



Re: OpenSSL for wheezy

2016-09-23 Thread Kurt Roeckx
On Fri, Sep 23, 2016 at 09:43:03PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Sep 23, 2016 at 09:38:10PM +0200, Kurt Roeckx wrote:
> > So I would like to just upload the 1.0.1u version to
> > wheezy-security.  If nobody complains that is what I will do.
> 
> Then the version number in jessie would be lower than in wheezy,
> breaking updates.

It would be the version from jessie with a different number ...


Kurt



OpenSSL for wheezy

2016-09-23 Thread Kurt Roeckx
Hi,

The version in wheezy-security is currently 1.0.1e-2+deb7u21.
Recently I've changed the jessie version from 1.0.1k to 1.0.1t
without any problem.

Supporting the 1.0.1e now requires a great deal of extra work
because the patches just don't apply.  If it's not because of the
reformatting of the code, it's because various other bugs in the
same code got fixed over the years.

So I would like to just upload the 1.0.1u version to
wheezy-security.  If nobody complains that is what I will do.


Kurt



Re: Security update of ntp

2016-08-08 Thread Kurt Roeckx
On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote:
> Hi Kurt
> 
> As a member of the LTS team I have started to look into a ntp security
> update of CVE-2016-4953 mentioned here:
> https://security-tracker.debian.org/tracker/source-package/ntp
> 
> I see that you have prepared security updates for Debian wheezy in the past
> so I would like to check with you if you want to do it this time too, or if
> you'd like me to do that for you.
> 
> Or alternatively that you know it is a non-issue already.
> 
> I can see the following comment about jessie in the security tracker:
> [jessie] - ntp  (Fix for CVE-2016-1547 or CVE-2015-7979
> wasn't backported)
> 
> But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version
> so I guess it is affected, or?
> 
> I have not looked into the details yet as I want to check with you first
> whether you know about this already (I guess you do).

First, the situation for wheezy and jessie should be identical.
They have the same upstream source and should have the same
patches for all security issues.

The fix we use for CVE-2015-7979 is unrelated to the upstream fix,
and so we're not affected by what the upstream patch broke.


Kurt



Re: Security announcement for ntp

2016-07-23 Thread Kurt Roeckx
On Sat, Jul 23, 2016 at 06:38:40PM +0200, Markus Koschany wrote:
> Hi Kurt,
> 
> I saw that you prepared and uploaded a security update for ntp but you
> haven't announced the update yet. Do you want to take care of this
> yourself? Then please follow our guidelines here:
> 
> https://wiki.debian.org/LTS/Development#Prepare_security_updates_for_Wheezy_LTS
> 
> I can send the announcement too but I would appreciate it if you
> provided some information about the update so that I can formulate a few
> descriptive sentences.

I will take care of it.


Kurt



Re: wheezy update of ntp? (was: squeeze update of ntp?)

2016-06-01 Thread Kurt Roeckx
On Wed, Jun 01, 2016 at 07:23:22AM +0200, Santiago Ruano Rincón wrote:
> 
> I have picked your patches (I hope all of them) from the svn to build a
> test package, and have also taken a look to remaining issues.  I have
> only could "backport" the fix for CVE-2016-1551, the refclock
> impersonation.

Svn still doesn't contain all the ones I have. Still didn't have
time.


Kurt



Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-05-18 Thread Kurt Roeckx
On Wed, May 18, 2016 at 04:27:22PM -0400, Antoine Beaupré wrote:
> On 2016-05-18 13:56:37, Kurt Roeckx wrote:
> > There are 22 open, some of which are marked as non-important.  Of
> > the new ones some should probably also be marked as such.
> 
> I did so with CVE-2015-8158 as it affects only ntpq under very specific
> conditions and the impact is minor (it hangs).

There are also some things that you need to be authenticated for,
which is at least a none default config.  I consider all of those to
be non-imporant.

> > I've spend several hours during the weekend going over commits in
> > bitkeeper.  But as ussual, it's all a big mess.  I have 10 issues
> > fixed in svn.  I also have 7 files with the patches in as they
> > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
> > version yet, so I have no idea what the state of those patches
> > is.  Then there also seem to be at least 2 other bug fixes that
> > appear to be security issues but that didn't get a CVE.
> 
> I tried to go through a few CVEs myself, and I must say I admire your
> courage. It seems like a really confusing tangled mess up there in NTP
> land, really scary stuff and really hard to triage.

Which is one of the reason I want to switch to ntpsec instead.
I've complained about this mess many times, but it seems to be too
complicated to make things simple.

I suggest that you at least let me finish the patches I started
on.

> I assume that, since both wheezy and jessie share the same version
> number, the same package can be uploaded for both? Or are there
> significant changes between those two?

Jessie and wheezy are the same upstream version, not much changed
between the Debian version, so it's really trivial to get one done
if the other is done.  Squeeze had an slighty older version, but
even that wasn't that much different.

But they have been ignoring 4.2.6 for years, even before the 4.2.8
release, 4.2.8 was supposed to be release real soon now for years.

> I wonder if it wouldn't be worth it to just ship 2.8 in wheezy/jessie
> and get it over with. I certainly don't feel like I have the courage to
> go through all of those.

The changes between 4.2.6 and 4.2.8 are years of work, caused lots
of breakage (that we told years before the release), and I don't
really trust 4.2.8 yet.


Kurt



Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-05-18 Thread Kurt Roeckx
On Wed, May 18, 2016 at 01:24:37PM -0400, Antoine Beaupré wrote:
> On 2016-02-13 05:49:24, Kurt Roeckx wrote:
> > On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote:
> >> Hello dear maintainer(s),
> >> 
> >> The Debian LTS team would like to fix the security issues which are
> >> currently open in the Squeeze version of ntp:
> >> https://security-tracker.debian.org/tracker/source-package/ntp
> >
> > I was under the impression that squeeze LTS support ended?
> >
> >> Would you like to take care of this yourself?
> >> 
> >> Note that all of the squeeze-relevant issues are still open in the 
> >> "newer" Debian releases (wheezy through sid).
> >
> > I'm waiting for upstream to actually fix things.  I estimate it's
> > going to take 2 months.
> 
> Hi!
> 
> That two months delay seems to have expired now. Do you need help
> backporting patches to wheezy?

I need help getting them into jessie in the first place.  It
should normally be trivial to also get them in wheezy in that
case.

> I count around 9 issues still pending in the security tracker for ntp,
> some of them being new since this was last discussed. Those are the
> issues currently pending:

There are 22 open, some of which are marked as non-important.  Of
the new ones some should probably also be marked as such.

I've spend several hours during the weekend going over commits in
bitkeeper.  But as ussual, it's all a big mess.  I have 10 issues
fixed in svn.  I also have 7 files with the patches in as they
apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
version yet, so I have no idea what the state of those patches
is.  Then there also seem to be at least 2 other bug fixes that
appear to be security issues but that didn't get a CVE.


Kurt



Re: tracking security issues without CVEs

2016-03-12 Thread Kurt Roeckx
On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> Hello,
> 
> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
> 
> Thinking of imagemagick here, it has a lot of security issues, and
> requests for CVEs are not getting any responses.
> 
> For example, if there are no CVEs are we able to use OVEs instead?

What abaout DWF?

https://distributedweaknessfiling.org/


Kurt



Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-02-13 Thread Kurt Roeckx
On Sat, Feb 13, 2016 at 03:55:31PM +, Damyan Ivanov wrote:
> -=| Kurt Roeckx, 13.02.2016 11:49:24 +0100 |=-
> > On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote:
> > > Hello dear maintainer(s),
> > > 
> > > The Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of ntp:
> > > https://security-tracker.debian.org/tracker/source-package/ntp
> > 
> > I was under the impression that squeeze LTS support ended?
> 
> Ends on 29 February. See 
> https://lists.debian.org/debian-announce/2016/msg2.html
> 
> > > Note that all of the squeeze-relevant issues are still open in the 
> > > "newer" Debian releases (wheezy through sid).
> > 
> > I'm waiting for upstream to actually fix things.  I estimate it's
> > going to take 2 months.
> 
> When this happens, do you plan to do a wheezy-lts upload too? (wheeszy 
> will gain LTS support in March).

Yes.

> BTW CVE-2016-0727 seems to me to be Debian-specific, since the cron 
> job is part of debian/. In case you missed it, there is a patch for it 
> at 
> http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/

Nobody seems to have informed me about this ...  At first look
this also doesn't seem that important.


Kurt



Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-02-13 Thread Kurt Roeckx
On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote:
> Hello dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of ntp:
> https://security-tracker.debian.org/tracker/source-package/ntp

I was under the impression that squeeze LTS support ended?

> Would you like to take care of this yourself?
> 
> Note that all of the squeeze-relevant issues are still open in the 
> "newer" Debian releases (wheezy through sid).

I'm waiting for upstream to actually fix things.  I estimate it's
going to take 2 months.

They're all not that important.


Kurt



Re: ntp security update

2015-10-28 Thread Kurt Roeckx
On Wed, Oct 28, 2015 at 09:35:59AM +0900, Ben Hutchings wrote:
> On Tue, 2015-10-27 at 21:57 +0100, Kurt Roeckx wrote:
> > On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> > > I've looked through the upstream repository for the patches that fix he
> > > recently announced issues.  Quite a few of them turned out not to apply
> > > to squeeze, or the newer stable releases, and I've updated the security
> > > tracker accordingly.
> > > 
> > > I backported the remaining fixes as best I can, and uploaded the source
> > > package to:
> > > https://people.debian.org/~benh/packages/squeeze-lts/
> > 
> > So are you going to upload something or should I?
> 
> Could you do it, please?

Sure, I'll do it this evening.


Kurt



Re: ntp security update

2015-10-27 Thread Kurt Roeckx
On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> I've looked through the upstream repository for the patches that fix he
> recently announced issues.  Quite a few of them turned out not to apply
> to squeeze, or the newer stable releases, and I've updated the security
> tracker accordingly.
> 
> I backported the remaining fixes as best I can, and uploaded the source
> package to:
> https://people.debian.org/~benh/packages/squeeze-lts/

So are you going to upload something or should I?


Kurt



Re: ntp security update

2015-10-26 Thread Kurt Roeckx
On Sun, Oct 25, 2015 at 11:23:50PM +0100, Kurt Roeckx wrote:
> On Mon, Oct 26, 2015 at 06:55:06AM +0900, Ben Hutchings wrote:
> > On Sun, 2015-10-25 at 22:45 +0100, Kurt Roeckx wrote:
> > > On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote:
> > [...]
> > > > > While I have addiotional patches for:
> > > > > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it
> > > > > seems)
> > > > 
> > > > Which is split from CVE-2014-9297.
> > > 
> > > From what I understand CVE-2014-9297 was changed to CVE-2014-9750
> > > and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up.
> > > There is nothing split.
> > > 
> > > In any case, there is a patch missing.
> > 
> > OK, which one is that?  I looked through the upstream commits for bug
> > 2671 and they all seemed to have been included in CVE-2014-9297.patch.
> 
> *look confused*
> 
> At some point 348fc9fa390c7894f589104fbca4d635868b7a45 was
> missing.
> 
> But redhat has a diff that looks like:
> --- ntp_crypto.c 
> +++ ntp_crypto.c  
> @@ -1575,6 +1575,7 @@
> EVP_MD_CTX ctx; /* signature context */
> tstamp_t tstamp;/* NTP timestamp */
> u_int32 temp32;
> +   u_char *puch;
> 
> /*
>  * Extract the public key from the request.
> @@ -1596,9 +1597,9 @@
> vallen = EVP_PKEY_size(pkey);
> vp->vallen = htonl(vallen);
> vp->ptr = emalloc(vallen);
> -   ptr = vp->ptr;
> +   puch = vp->ptr;
> temp32 = htonl(*cookie);
> -   if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
> +   if (RSA_public_encrypt(4, (u_char *)&temp32, puch,
> pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) {
> msyslog(LOG_ERR, "crypto_encrypt: %s",
> ERR_error_string(ERR_get_error(), NULL));
> 
> 
> (Didn't look at what that does yet, looks like part of a change of
> a much older commit.)

So the effect of this seems to be that "ptr" which is a parameter
to a function isn't use anymore as some pointer.  But ptr isn't
used anymore at this point, so seems that it doesn't have any
effect.


Kurt



Re: ntp security update

2015-10-25 Thread Kurt Roeckx
On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote:
> On Sun, 2015-10-25 at 11:19 +0100, Kurt Roeckx wrote:
> > On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> > > I've looked through the upstream repository for the patches that fix he
> > > recently announced issues.  Quite a few of them turned out not to apply
> > > to squeeze, or the newer stable releases, and I've updated the security
> > > tracker accordingly.
> > > 
> > > I backported the remaining fixes as best I can, and uploaded the source
> > > package to:
> > > https://people.debian.org/~benh/packages/squeeze-lts/
> > > 
> > > Would you be willing to review this package?
> > > 
> > > I noticed that you entirely reverted the upstream patch that was
> > > supposed to fix CVE-2015-7704 and -7705, and then applied a different
> > > fix for -7704.  I think this means -7705 isn't fixed in sid, though the
> > > security tracker currently says it is.  Who's right?
> > 
> > I can't seem to ge getting much information out of anything from
> > upstream.  Lots of things don't seem to be affecting the 4.2.6
> > version.
> >
> > From what I currently understand the following don't apply to the
> > 4.2.6 versions:
> > CVE-2015-5196
> [...]
> > So it seems they renamed CVE-2015-5196 to CVE-2015-7703.  Your
> > patch probably makes sense and I should get that fixed in jessie
> > and wheezy too.
> > 
> > I'm just wondering why you didn't move the T_Pidfile like upstream
> > did, that part seems to apply.
> 
> Not in squeeze; there aren't any separate parsing rules for local and
> remote.
> 
> > Your bug-2899.patch patch looks a little different.  You have:
> > @@ -2207,8 +2221,8 @@ crypto_bob(
> >    vp->sig = emalloc(sign_siglen);
> >    EVP_SignInit(&ctx, sign_digest);
> >    EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > -  EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > -  if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > +  EVP_SignUpdate(&ctx, vp->ptr, len);
> > +  if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> >    vp->siglen = htonl(sign_siglen);
> >    return (XEVNT_OK);
> >  }
> > 
> > The patch from upstream and the one from redhat has:
> > @@ -2214,9 +2228,9 @@ crypto_bob(
> > vp->sig = emalloc(sign_siglen);
> > EVP_SignInit(&ctx, sign_digest);
> > EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > -   EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > -   if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > -   vp->siglen = htonl(sign_siglen);
> > +   EVP_SignUpdate(&ctx, vp->ptr, len);
> > +   if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> > +   vp->siglen = htonl(len);
> > return (XEVNT_OK);
> >  }
> > 
> > 
> > As in, the htonl() call changes sign_siglen to len.
> 
> No, it changes vallen to len.  But in 4.2.6 vallen is ignored and the
> previously calculated sign_siglen is assumed to be correct.  I didn't
> want to change that.

So from the EVP_SignFinal manpage:
| The number of bytes of data written (i.e. the length of the
| signature) will be written to the integer at s, at most
| EVP_PKEY_size(pkey) bytes will be written.

That is, the signature can be shorter than the key, it depends on
the signature scheme.

And sign_siglen in both 4.2.6 and 4.2.8 is:
sign_siglen = EVP_PKEY_size(sign_pkey);

So maybe the variable name is a little misleading, it's the size
of the key not the signature.


Kurt



Re: ntp security update

2015-10-25 Thread Kurt Roeckx
On Mon, Oct 26, 2015 at 06:55:06AM +0900, Ben Hutchings wrote:
> On Sun, 2015-10-25 at 22:45 +0100, Kurt Roeckx wrote:
> > On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote:
> [...]
> > > > While I have addiotional patches for:
> > > > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it
> > > > seems)
> > > 
> > > Which is split from CVE-2014-9297.
> > 
> > From what I understand CVE-2014-9297 was changed to CVE-2014-9750
> > and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up.
> > There is nothing split.
> > 
> > In any case, there is a patch missing.
> 
> OK, which one is that?  I looked through the upstream commits for bug
> 2671 and they all seemed to have been included in CVE-2014-9297.patch.

*look confused*

At some point 348fc9fa390c7894f589104fbca4d635868b7a45 was
missing.

But redhat has a diff that looks like:
--- ntp_crypto.c 
+++ ntp_crypto.c  
@@ -1575,6 +1575,7 @@
EVP_MD_CTX ctx; /* signature context */
tstamp_t tstamp;/* NTP timestamp */
u_int32 temp32;
+   u_char *puch;

/*
 * Extract the public key from the request.
@@ -1596,9 +1597,9 @@
vallen = EVP_PKEY_size(pkey);
vp->vallen = htonl(vallen);
vp->ptr = emalloc(vallen);
-   ptr = vp->ptr;
+   puch = vp->ptr;
temp32 = htonl(*cookie);
-   if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
+   if (RSA_public_encrypt(4, (u_char *)&temp32, puch,
pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) {
msyslog(LOG_ERR, "crypto_encrypt: %s",
ERR_error_string(ERR_get_error(), NULL));


(Didn't look at what that does yet, looks like part of a change of
a much older commit.)


Kurt



Re: ntp security update

2015-10-25 Thread Kurt Roeckx
On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote:
> > Your bug-2899.patch patch looks a little different.  You have:
> > @@ -2207,8 +2221,8 @@ crypto_bob(
> >    vp->sig = emalloc(sign_siglen);
> >    EVP_SignInit(&ctx, sign_digest);
> >    EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > -  EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > -  if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > +  EVP_SignUpdate(&ctx, vp->ptr, len);
> > +  if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> >    vp->siglen = htonl(sign_siglen);
> >    return (XEVNT_OK);
> >  }
> > 
> > The patch from upstream and the one from redhat has:
> > @@ -2214,9 +2228,9 @@ crypto_bob(
> > vp->sig = emalloc(sign_siglen);
> > EVP_SignInit(&ctx, sign_digest);
> > EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > -   EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > -   if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > -   vp->siglen = htonl(sign_siglen);
> > +   EVP_SignUpdate(&ctx, vp->ptr, len);
> > +   if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> > +   vp->siglen = htonl(len);
> > return (XEVNT_OK);
> >  }
> > 
> > 
> > As in, the htonl() call changes sign_siglen to len.
> 
> No, it changes vallen to len.  But in 4.2.6 vallen is ignored and the
> previously calculated sign_siglen is assumed to be correct.  I didn't
> want to change that.

Will take a look at this.

> > While I have addiotional patches for:
> > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it
> > seems)
> 
> Which is split from CVE-2014-9297.

>From what I understand CVE-2014-9297 was changed to CVE-2014-9750
and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up.
There is nothing split.

In any case, there is a patch missing.

> > ntp-4.2.6p5-cve-2015-5219.patch
> > ntp-4.2.6p5-cve-2015-5195.patch
> > ntp-4.2.6p5-cve-2015-5194.patch
> > ntp-4.2.6p5-cve-2015-5146.patch
> 
> These were already marked as no-DSA-required in the security tracker.

I don't see why we shouldn't fix them.

> > CVE-2015-7705.patch
> 
> Where does this come from?

That's a good question.  It just seems to be about logging, so
that seems to be wrong.

> > CVE-2015-7851.patch
> 
> VMS only, so I didn't bother.
> 
> > CVE-2015-7853.patch
> 
> This really isn't needed because 4.2.6 doesn't have the incorrect cast
> from size_t to int.  Please revert your change in the security tracker.

You're right, I somehow missed the casts.


Kurt



Re: ntp security update

2015-10-25 Thread Kurt Roeckx
On Sun, Oct 25, 2015 at 11:51:24AM +0100, Kurt Roeckx wrote:
> On Sun, Oct 25, 2015 at 11:19:03AM +0100, Kurt Roeckx wrote:
> > On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> > > I've looked through the upstream repository for the patches that fix he
> > > recently announced issues.  Quite a few of them turned out not to apply
> > > to squeeze, or the newer stable releases, and I've updated the security
> > > tracker accordingly.
> > > 
> > > I backported the remaining fixes as best I can, and uploaded the source
> > > package to:
> > > https://people.debian.org/~benh/packages/squeeze-lts/
> > > 
> > > Would you be willing to review this package?
> > > 
> > > I noticed that you entirely reverted the upstream patch that was
> > > supposed to fix CVE-2015-7704 and -7705, and then applied a different
> > > fix for -7704.  I think this means -7705 isn't fixed in sid, though the
> > > security tracker currently says it is.  Who's right?
> > 
> > I can't seem to ge getting much information out of anything from
> > upstream.  Lots of things don't seem to be affecting the 4.2.6
> > version.
> > 
> > From what I currently understand the following don't apply to the
> > 4.2.6 versions:
> > CVE-2015-5196
> 
> So it seems they renamed CVE-2015-5196 to CVE-2015-7703.  Your
> patch probably makes sense and I should get that fixed in jessie
> and wheezy too.

I actually got that fixed, the patch is just named
ntp-4.2.6p5-cve-2015-5196.patch and note -7703.

> I'm just wondering why you didn't move the T_Pidfile like upstream
> did, that part seems to apply.
> 
> (I have to go now, will look at it later again.)

Your bug-2899.patch patch looks a little different.  You have:
@@ -2207,8 +2221,8 @@ crypto_bob(
   vp->sig = emalloc(sign_siglen);
   EVP_SignInit(&ctx, sign_digest);
   EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
-  EVP_SignUpdate(&ctx, vp->ptr, vallen);
-  if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
+  EVP_SignUpdate(&ctx, vp->ptr, len);
+  if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
   vp->siglen = htonl(sign_siglen);
   return (XEVNT_OK);
 }

The patch from upstream and the one from redhat has:
@@ -2214,9 +2228,9 @@ crypto_bob(
vp->sig = emalloc(sign_siglen);
EVP_SignInit(&ctx, sign_digest);
EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
-   EVP_SignUpdate(&ctx, vp->ptr, vallen);
-   if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
-   vp->siglen = htonl(sign_siglen);
+   EVP_SignUpdate(&ctx, vp->ptr, len);
+   if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
+   vp->siglen = htonl(len);
return (XEVNT_OK);
 }


As in, the htonl() call changes sign_siglen to len.


Your CVE-2015-7850 patch, in mvsyslog() calls vsnprintf() while
mine calls mvsnprintf().


You somehow seems to have the patches applied, you have a .pc
directory in it ...

So you applied the following patches:
CVE-2015-5300.patch
bug-2899.patch (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)
CVE-2015-7701.patch
CVE-2015-7703.patch
CVE-2015-7704.patch
CVE-2015-7850.patch
CVE-2015-7852.patch
CVE-2015-7855.patch
CVE-2015-7871.patch

While I have addiotional patches for:
CVE-2014-9750.patch (it was missing 1 patch while it was fixed it seems)
ntp-4.2.6p5-cve-2015-5219.patch
ntp-4.2.6p5-cve-2015-5195.patch
ntp-4.2.6p5-cve-2015-5194.patch
ntp-4.2.6p5-cve-2015-5146.patch
CVE-2015-7705.patch
CVE-2015-7851.patch
CVE-2015-7853.patch

Which leaves, which I think really don't affect 4.2.6:
CVE-2015-7848
CVE-2015-7849
CVE-2015-7854


Should I just upload my patches?


Kurt



Re: ntp security update

2015-10-25 Thread Kurt Roeckx
On Sun, Oct 25, 2015 at 11:19:03AM +0100, Kurt Roeckx wrote:
> On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> > I've looked through the upstream repository for the patches that fix he
> > recently announced issues.  Quite a few of them turned out not to apply
> > to squeeze, or the newer stable releases, and I've updated the security
> > tracker accordingly.
> > 
> > I backported the remaining fixes as best I can, and uploaded the source
> > package to:
> > https://people.debian.org/~benh/packages/squeeze-lts/
> > 
> > Would you be willing to review this package?
> > 
> > I noticed that you entirely reverted the upstream patch that was
> > supposed to fix CVE-2015-7704 and -7705, and then applied a different
> > fix for -7704.  I think this means -7705 isn't fixed in sid, though the
> > security tracker currently says it is.  Who's right?
> 
> I can't seem to ge getting much information out of anything from
> upstream.  Lots of things don't seem to be affecting the 4.2.6
> version.
> 
> From what I currently understand the following don't apply to the
> 4.2.6 versions:
> CVE-2015-5196

So it seems they renamed CVE-2015-5196 to CVE-2015-7703.  Your
patch probably makes sense and I should get that fixed in jessie
and wheezy too.

I'm just wondering why you didn't move the T_Pidfile like upstream
did, that part seems to apply.

(I have to go now, will look at it later again.)



Kurt



Re: ntp security update

2015-10-25 Thread Kurt Roeckx
On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> I've looked through the upstream repository for the patches that fix he
> recently announced issues.  Quite a few of them turned out not to apply
> to squeeze, or the newer stable releases, and I've updated the security
> tracker accordingly.
> 
> I backported the remaining fixes as best I can, and uploaded the source
> package to:
> https://people.debian.org/~benh/packages/squeeze-lts/
> 
> Would you be willing to review this package?
> 
> I noticed that you entirely reverted the upstream patch that was
> supposed to fix CVE-2015-7704 and -7705, and then applied a different
> fix for -7704.  I think this means -7705 isn't fixed in sid, though the
> security tracker currently says it is.  Who's right?

I can't seem to ge getting much information out of anything from
upstream.  Lots of things don't seem to be affecting the 4.2.6
version.

>From what I currently understand the following don't apply to the
4.2.6 versions:
CVE-2015-5196
CVE-2015-7848
CVE-2015-7849
CVE-2015-7854
CVE-2015-7855
CVE-2015-7871 (unless you patch it first)

You seem to be right that we're affected by CVE-2015-7705 now,
which redhat also doesn't seem to have fixed because they don't
enable rate limiting.  I actually enabled this in 4.2.8p3+dfsg-1
for some reason.


Kurt



Re: [Pkg-openssl-devel] squeeze update of openssl?

2015-06-15 Thread Kurt Roeckx
On Mon, Jun 15, 2015 at 01:13:32PM +0200, Jan Wagner wrote:
> Hi there,
> 
> Am 12.06.15 um 18:49 schrieb Guido Günther:
> > the Debian LTS team would like to fix the security issues which
> > are currently open in the Squeeze version of openssl: 
> > https://security-tracker.debian.org/tracker/CVE-2014-8176 
> > https://security-tracker.debian.org/tracker/CVE-2015-1789 
> > https://security-tracker.debian.org/tracker/CVE-2015-1790 
> > https://security-tracker.debian.org/tracker/CVE-2015-1791 
> > https://security-tracker.debian.org/tracker/CVE-2015-1792 
> > https://security-tracker.debian.org/tracker/CVE-2015-4000
> > 
> > I have left CVE-2015-4000 in the list since I'm unsure what we
> > should do about it in squeeze. Any feedback on this would be very
> > welcome.
> [...]
> > If you don't want to take care of this update, it's not a problem,
> > we will do our best with your package. Just let us know whether you
> > would like to review and/or test the updated package before it gets
> > released.
> 
> did I oversee anything and is there something happening there?

I didn't have time for squeeze yet.  It will probably be something
for wednesday.


Kurt


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150615133454.gc16...@roeckx.be



Re: squeeze update of ntp?

2015-04-10 Thread Kurt Roeckx
On Fri, Apr 10, 2015 at 11:33:22PM +0200, Raphael Hertzog wrote:
> Hi,
> 
> On Fri, 10 Apr 2015, Kurt Roeckx wrote:
> > On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote:
> > > Would you like to take care of this yourself? We are still understaffed so
> > > any help is always highly appreciated.
> > 
> > You really don't have patience do you?
> 
> I do, but contacting maintainers is just part of the workflow of CVE
> triage we defined for Debian LTS. Sorry if this mail bothered you. Is
> there a way to do it that would have been better received on your side?

The upload to unstable (and wheezy) only happened a few hours ago
because I didn't have time before.


Kurt


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150410215649.ga12...@roeckx.be



Re: squeeze update of ntp?

2015-04-10 Thread Kurt Roeckx
On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of ntp:
> https://security-tracker.debian.org/tracker/CVE-2015-1798
> https://security-tracker.debian.org/tracker/CVE-2015-1799
> https://security-tracker.debian.org/tracker/TEMP-000-C29A8D
> 
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.

You really don't have patience do you?


Kurt


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150410211355.ga2...@roeckx.be



Re: squeeze update of openssl?

2015-03-09 Thread Kurt Roeckx
On Mon, Mar 09, 2015 at 04:29:43PM +0100, Raphael Hertzog wrote:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of openssl:
> https://security-tracker.debian.org/tracker/CVE-2015-0209
> https://security-tracker.debian.org/tracker/CVE-2015-0288

Please ignore them for now.  They are not yet fixed in any branch,
but will be taking care of.


Kurt


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150309171443.ga6...@roeckx.be



Re: OpenSSL 0.9.8 patches

2014-10-21 Thread Kurt Roeckx
On Tue, Oct 21, 2014 at 09:17:00AM +0200, Raphael Hertzog wrote:
> Hello Paul,
> 
> On Mon, 20 Oct 2014, Paul Allen wrote:
> > Right, but what about the patch for adding TLS_FALLBACK_SCSV? And the
> > other vulnerabilities that were patched in 0.9.8zc?
> 
> I believe that Kurt Roeckx  (one of the openssl
> maintainers in Debian) intends to upload a package with those
> fixes. I'm not sure when he will get to it though (I'm putting him in
> copy).

So I plan to upload a version.  I'm just not sure when yet.


Kurt


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141021162916.ga31...@roeckx.be