Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2

2024-04-22 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

Please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2

2024-03-02 Thread David Prévot 
Le Sat, Mar 02, 2024 at 11:22:22AM +0100, David Prévot a écrit :
[…]
>   [x] attach debdiff against the package in oldstable

Second try.

diff -Nru php-phpseclib-2.0.30/debian/changelog php-phpseclib-2.0.30/debian/changelog
--- php-phpseclib-2.0.30/debian/changelog	2023-12-31 15:36:22.0 +0100
+++ php-phpseclib-2.0.30/debian/changelog	2024-02-27 21:15:41.0 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.30-2+deb11u2) bullseye; urgency=medium
+
+  * Backport upstream fixes
+- BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+- BigInteger: rm visibility modifiers from static variables
+- ASN1: limit OID length [CVE-2024-27355]
+- Tests: updates for phpseclib 2.0
+- BigInteger: phpseclib 2.0 updates
+- BigInteger: fix getLength()
+
+ -- David Prévot   Tue, 27 Feb 2024 21:15:41 +0100
+
 php-phpseclib (2.0.30-2+deb11u1) bullseye-security; urgency=medium
 
   * Backport upstream SSH2 changes
diff -Nru php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,76 @@
+From: terrafrost 
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 -
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 9df0bf0..bbe7c86 100644
+--- a/phpseclib/Math/BigInteger.php
 b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+ return $result;
+ }
+ 
++/**
++ * Return the size of a BigInteger in bits
++ *
++ * @return int
++ */
++function getLength()
++{
++if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++return strlen($this->toBits());
++}
++
++$max = count($this->value) - 1;
++return $max != -1 ?
++$max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++0;
++}
++
++/**
++ * Return the size of a BigInteger in bytes
++ *
++ * @return int
++ */
++function getLengthInBytes()
++{
++return ceil($this->getLength() / 8);
++}
++
+ /**
+  * Copy an object
+  *
+@@ -3237,6 +3264,11 @@ class BigInteger
+ $min = $temp;
+ }
+ 
++$length = $max->getLength();
++if ($length > 8196) {
++user_error('Generation of random prime numbers larger than 8196 has been disabled');
++}
++
+ static $one, $two;
+ if (!isset($one)) {
+ $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+  */
+ function isPrime($t = false)
+ {
+-$length = strlen($this->toBytes());
++$length = $this->getLength();
++// OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++// produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++// a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++// that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++if ($length > 8196) {
++user_error('Primality testing is not supported for numbers larger than 8196 bits');
++}
+ 
+ if (!$t) {
+ // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch	1970-01-01 01:00:00.0 +0100
+++ php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch	2024-02-27 21:15:41.0 +0100
@@ -0,0 +1,48 @@
+From: terrafrost 
+Date: Fri, 23 Feb 2024 21:55:47 -0600
+Subject: BigInteger: rm visibility modifiers from static variables
+
+the non static variables don't have privacy modifiers so idk that
+the static ones ought to either. phpseclib 3.0 uses privacy
+modifiers but not the 2.0 branch
+
+Origin: upstream,

Bug#1065266: bullseye-pu: package php-phpseclib/2.0.30-2+deb11u2

2024-03-02 Thread David Prévot 
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: php-phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:php-phpseclib
User: release.debian@packages.debian.org
Usertags: pu

Hi,

This issue is similar to #1065263 for bookworm

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit


signature.asc
Description: PGP signature