Processed: nmu: tuxmath_2.0.3-9
Processing control commands: > affects -1 + src:tuxmath Bug #1068844 [release.debian.org] nmu: tuxmath_2.0.3-9 Added indication that 1068844 affects src:tuxmath -- 1068844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068844 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068844: nmu: tuxmath_2.0.3-9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: tuxm...@packages.debian.org Control: affects -1 + src:tuxmath nmu tuxmath_2.0.3-9 . armel armhf s390x . unstable . -m "Rebuild for time_t" Please rebuild tuxmath on the listed archs now that t4kcommon has built on those archs. Chris
Processed: nmu: libnbd_1.20.0-1
Processing control commands: > affects -1 + src:libnbd Bug #1068843 [release.debian.org] nmu: libnbd_1.20.0-1 Added indication that 1068843 affects src:libnbd -- 1068843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068843 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068843: nmu: libnbd_1.20.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu X-Debbugs-Cc: lib...@packages.debian.org Control: affects -1 + src:libnbd nmu libnbd_1.20.0-1 . ANY . unstable . -m "Rebuild on buildds" Please rebuild libnbd to replace the profile nocheck builds on armhf, armel. Chris
Processed: block 1036884 with 1068078
Processing commands for cont...@bugs.debian.org: > block 1036884 with 1068078 Bug #1036884 [release.debian.org] transition: time64_t 1036884 was blocked by: 1065787 1068325 1067288 1065940 1067171 1055352 1067829 1068160 1067494 1067509 1055530 1066328 1067676 1066794 1066134 1067192 1067916 1065816 1067170 1068068 1067508 1067272 1065790 1065973 1066049 1065725 1067189 1067190 1067069 1067458 1067193 1068586 1067677 1068327 1067175 1062847 1067561 1036884 was not blocking any bugs. Added blocking bug(s) of 1036884: 1068078 > thanks Stopping processing here. Please contact me if you need assistance. -- 1036884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036884 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: block 1036884 with 1065725
Processing commands for cont...@bugs.debian.org: > block 1036884 with 1065725 Bug #1036884 [release.debian.org] transition: time64_t 1036884 was blocked by: 1067677 1067288 1066134 1067272 1055530 1067509 1065816 1067561 1065787 1068325 1065973 1066328 1067190 1065790 1067494 1062847 1067508 1067916 1066794 1065940 1067193 1067189 1068327 1068586 1067069 1067175 1068068 1067676 1068160 1067829 1067458 1055352 1066049 1067170 1067192 1067171 1036884 was not blocking any bugs. Added blocking bug(s) of 1036884: 1065725 > thanks Stopping processing here. Please contact me if you need assistance. -- 1036884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036884 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1065413: bookworm-pu: package openssl/3.0.13-1~deb12u1
Hi Sebastian, On Tue, Apr 09, 2024 at 06:18:13PM +0200, Sebastian Andrzej Siewior wrote: > On 2024-04-07 23:46:28 [+0200], To Adam D. Barratt wrote: > > On 2024-03-24 20:06:12 [+], Adam D. Barratt wrote: > > > > > > Sorry for not getting to this sooner. Is this still the case? > > > > So. This happened #1068045 (yapet broke with 1.0 format) due to the > > update. On the bright side it has been broken in unstable but unnoticed. > > Looking into it but also sleeping (but making progress). > > yapet is fixed in unstable. My understanding is that the maintainer will > take care of it. After exposure of the upload in unstable for two days, uploaded now as well to bookworm. Filled #1068836. Regards, Salvatore
Processed: bookworm-pu: package yapet/2.6-2~deb12u1
Processing control commands: > affects -1 + src:yapet Bug #1068836 [release.debian.org] bookworm-pu: package yapet/2.6-2~deb12u1 Added indication that 1068836 affects src:yapet -- 1068836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068836: bookworm-pu: package yapet/2.6-2~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: ya...@packages.debian.org, car...@debian.org Control: affects -1 + src:yapet User: release.debian@packages.debian.org Usertags: pu Hi, [ Reason ] After the update of openssl/3.0.13-1~deb12u1 in bookworm-pu Sean found that old 1.0 format databases. While most of people should have moved some time ago to 2.0 format databases, they are still claimed to be supported. The update of openssl uncovered though a bug in yapet (as well present in unstable, and fixed as well). Sebastian explained the situation in https://bugs.debian.org/1068045#94 [ Impact ] Users using the old 1.0 format could not open anymore their store. [ Tests ] Done explicitly with an old 1.0 format database provided by sean, running the testsuite, and manual checks with 2.0 format databases. [ Risks ] Patches provided by the openssl maintainer. While they are not yet applied upstream, they tackle the bug in yapet as isolated by the openssl maintainers. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The two patches drop EVP_CIPHER_CTX_set_key_length() invocation to keep compatiblity with 1.0 databases and with openssl versions. Quoting the commit: |yapet did for blowfish: | || EVP_CipherInit_ex(ctx, cipher, NULL, KEY, iv, mode); || EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); || EVP_CipherUpdate(ctx, …); | |this worked in earlier OpenSSL versions and stopped working in |openssl-3.0.13. The problem here is that the |EVP_CIPHER_CTX_set_key_length() is ignored and the later OpenSSL version |returns rightfully an error "Provider routines::no key set" here. | |Blowfish does support variable key lenghts but the key length has to be |set first followed by the actual key. Otherwise the blocksize (16) will |be used. |The correct way to deal with this would be: || EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, mode); || EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); || EVP_CipherInit_ex(ctx, NULL, NULL, KEY, IV, mode); || EVP_CipherUpdate(ctx, …); | |Using now the proper way will break earlier databases because in the |blowfish case, always the default blocksize / 16 has been used. | |In order to keep compatibility with earlier versions of the database and |openssl remove the EVP_CIPHER_CTX_set_key_length() invocation. While at it Sebastian fixed as well the invocation present for the crypt/aes code. [ Other info ] None. Regards, Salvatore diff -Nru yapet-2.6/debian/changelog yapet-2.6/debian/changelog --- yapet-2.6/debian/changelog 2022-03-14 14:19:11.0 +0100 +++ yapet-2.6/debian/changelog 2024-04-11 20:40:18.0 +0200 @@ -1,3 +1,16 @@ +yapet (2.6-2~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm + + -- Salvatore Bonaccorso Thu, 11 Apr 2024 20:40:18 +0200 + +yapet (2.6-2) unstable; urgency=medium + + * crypt/blowfish: Remove EVP_CIPHER_CTX_set_key_length() (Closes: #1064724) + * crypt/aes: Remove EVP_CIPHER_CTX_set_key_length() + + -- Salvatore Bonaccorso Mon, 08 Apr 2024 21:32:50 +0200 + yapet (2.6-1) unstable; urgency=medium * New upstream version 2.6 diff -Nru yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch --- yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch 1970-01-01 01:00:00.0 +0100 +++ yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch 2024-04-11 20:40:18.0 +0200 @@ -0,0 +1,41 @@ +From aaa573b14bafcc9a6b46495bd4ffc15b90d35902 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Mon, 8 Apr 2024 18:19:12 +0200 +Subject: [PATCH] crypt/aes: Remove EVP_CIPHER_CTX_set_key_length(). + +The EVP_CIPHER_CTX_set_key_length() in the AES-256-CBC case is pointless +because the key here is fixed EVP_CIPHER_CTX_set_key_length() and the +function does not change the size. + +Remove the EVP_CIPHER_CTX_set_key_length() invocation. + +Signed-off-by: Sebastian Andrzej Siewior +--- + src/libs/crypt/aes256.cc | 11 --- + 1 file changed, 11 deletions(-) + +diff --git a/src/libs/crypt/aes256.cc b/src/libs/crypt/aes256.cc +index 1041b9c57347..e105b1a5bedd 100644 +--- a/src/libs/crypt/aes256.cc b/src/libs/crypt/aes256.cc +@@ -113,17 +113,6 @@ EVP_CIPHER_CTX* Aes256::initializeOrThrow(const SecureArray& ivec, MODE mode) { + throw CipherError{_("Error initializing cipher")}; + } + +-success = EVP_CIPHER_CTX_set_key_length(context, getKey()->keySize()); +-if (success != SSL_SUCCESS) { +-LOG_MESSAGE(std::string{__func__} + ": Error setting key length"); +-destroyContext(context); +-char msg[YAPET::Consts::EXCEPTION_MESSAGE_BUFFER_SIZE]; +-std::snprintf(msg,
Processed: Re: Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1
Processing control commands: > tags -1 + moreinfo Bug #1068798 [release.debian.org] bookworm-pu: package fdroidserver/2.2.1-1 Added tag(s) moreinfo. -- 1068798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1
Control: tags -1 + moreinfo On Thu, 2024-04-11 at 11:36 +0200, Jochen Sprickerhof wrote: > [ ] the issue is verified as fixed in unstable > [...] > Upstream is still working on a long term fix that will be uploaded to > unstable later. I agreed with upstream to use use the patch provided > in the mail on oss-security already now. In any case, assuming that the issue affects unstable (which appears to be the case), it should be fixed there first. Regards, Adam
Processed: re: ppp: FTBFS due -Werror=implicit-function-declaration
Processing commands for cont...@bugs.debian.org: > block 1036884 by 1066134 Bug #1036884 [release.debian.org] transition: time64_t 1036884 was blocked by: 1055352 1067676 1067288 1067916 1068327 1068586 1067829 1067494 1065787 1065790 1068160 1066049 1067190 1055530 1066794 1067677 1068325 1067170 1068068 1062847 1067193 1067458 1067272 1067189 1065973 1066328 1067171 1067069 1067509 1067192 1067508 1065816 1067175 1067561 1036884 was not blocking any bugs. Added blocking bug(s) of 1036884: 1066134 and 1065940 > tags 1066134 +patch Bug #1066134 {Done: Adrian Bunk } [src:ppp] FTBFS due -Werror=implicit-function-declaration Bug #1065940 {Done: Adrian Bunk } [src:ppp] ppp: FTBFS on arm{el,hf}: sys-linux.c:357:9: error: implicit declaration of function ‘sif6down’; did you mean ‘sifdown’? [-Werror=implicit-function-declaration] Ignoring request to alter tags of bug #1066134 to the same tags previously set Ignoring request to alter tags of bug #1065940 to the same tags previously set > thanks Stopping processing here. Please contact me if you need assistance. -- 1036884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036884 1065940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065940 1066134: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066134 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: block 1036884 with 1065790
Processing commands for cont...@bugs.debian.org: > block 1036884 with 1065790 Bug #1036884 [release.debian.org] transition: time64_t 1036884 was blocked by: 1065816 1065787 1068068 1067494 1067190 1067829 1068327 1067561 1067677 1066049 1067189 1067171 1055352 1067676 1067192 1067193 1067069 1067272 1067509 1067175 1067288 1067170 1068586 1066794 1067916 1067458 1067508 1066328 1062847 1065973 1068325 1068160 1055530 1036884 was not blocking any bugs. Added blocking bug(s) of 1036884: 1065790 > thanks Stopping processing here. Please contact me if you need assistance. -- 1036884: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036884 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1
Forgot the patch.. diff --git a/debian/changelog b/debian/changelog index a990dc45..05aabd67 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +fdroidserver (2.2.1-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * Add patch to fix security issue in certificate checks + + -- Jochen Sprickerhof Thu, 11 Apr 2024 11:20:33 +0200 + fdroidserver (2.2.1-1) unstable; urgency=medium * New upstream version 2.2.1 diff --git a/debian/patches/0004-Fix-signer-certificate-checks.patch b/debian/patches/0004-Fix-signer-certificate-checks.patch new file mode 100644 index ..8830d788 --- /dev/null +++ b/debian/patches/0004-Fix-signer-certificate-checks.patch @@ -0,0 +1,72 @@ +From: "FC (Fay) Stegerman" +Date: Thu, 11 Apr 2024 11:11:46 +0200 +Subject: Fix signer certificate checks + +This fixes the order the signatures are checked to be the same as +Android does them and monkey patches androguard to handle duplicate +signing blocks. + +This was reported as: + +https://www.openwall.com/lists/oss-security/2024/04/08/8 + +Patch taken from: + +https://github.com/obfusk/fdroid-fakesigner-poc/blob/master/fdroidserver.patch +--- + fdroidserver/common.py | 33 - + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/fdroidserver/common.py b/fdroidserver/common.py +index bc4265e..bd1a4c8 100644 +--- a/fdroidserver/common.py b/fdroidserver/common.py +@@ -3001,28 +3001,35 @@ def signer_fingerprint(cert_encoded): + + def get_first_signer_certificate(apkpath): + """Get the first signing certificate from the APK, DER-encoded.""" ++class FDict(dict): ++def __setitem__(self, k, v): ++if k not in self: ++super().__setitem__(k, v) ++ + certs = None + cert_encoded = None +-with zipfile.ZipFile(apkpath, 'r') as apk: +-cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)] +-if len(cert_files) > 1: +-logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath)) +-return None +-elif len(cert_files) == 1: +-cert_encoded = get_certificate(apk.read(cert_files[0])) +- +-if not cert_encoded and use_androguard(): ++if use_androguard(): + apkobject = _get_androguard_APK(apkpath) +-certs = apkobject.get_certificates_der_v2() ++apkobject._v2_blocks = FDict() ++certs = apkobject.get_certificates_der_v3() + if len(certs) > 0: +-logging.debug(_('Using APK Signature v2')) ++logging.debug(_('Using APK Signature v3')) + cert_encoded = certs[0] + if not cert_encoded: +-certs = apkobject.get_certificates_der_v3() ++certs = apkobject.get_certificates_der_v2() + if len(certs) > 0: +-logging.debug(_('Using APK Signature v3')) ++logging.debug(_('Using APK Signature v2')) + cert_encoded = certs[0] + ++if not cert_encoded: ++with zipfile.ZipFile(apkpath, 'r') as apk: ++cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)] ++if len(cert_files) > 1: ++logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath)) ++return None ++elif len(cert_files) == 1: ++cert_encoded = get_certificate(apk.read(cert_files[0])) ++ + if not cert_encoded: + logging.error(_("No signing certificates found in {path}").format(path=apkpath)) + return None diff --git a/debian/patches/series b/debian/patches/series index ab17e6df..8e2df116 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ debian-java-detection.patch ignore-irrelevant-test.patch scanner-tests-need-dexdump.patch +0004-Fix-signer-certificate-checks.patch signature.asc Description: PGP signature
Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: fdroidser...@packages.debian.org, Hans-Christoph Steiner Control: affects -1 + src:fdroidserver User: release.debian@packages.debian.org Usertags: pu [ Reason ] There was a security problem reported against fdroidserver: https://www.openwall.com/lists/oss-security/2024/04/08/8 [ Impact ] Stable users of fdroidserver running their own repo could be tricked into providing wrongly signed files. [ Tests ] Manual test on F-Droid internal datasets as well as automated tests inside fdroidserver. [ Risks ] Low, the relevant code is only used to extract and verify signatures. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] The patch reorders the code as well as changes the code of the imported androguard library. [ Other info ] Upstream is still working on a long term fix that will be uploaded to unstable later. I agreed with upstream to use use the patch provided in the mail on oss-security already now.
Processed: bookworm-pu: package fdroidserver/2.2.1-1
Processing control commands: > affects -1 + src:fdroidserver Bug #1068798 [release.debian.org] bookworm-pu: package fdroidserver/2.2.1-1 Added indication that 1068798 affects src:fdroidserver -- 1068798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems