Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
I hereby propose an update for stable/stretch of tlslite-ng. It contains
a patch fixing CVE-2018-1000159 [1]. The security issue was marked as being
no-dsa [2]. Please see the attached debdiff for details.
Thanks,
Daniel Stender
[1] https://bugs.debian.org/895728
[2] https://security-tracker.debian.org/tracker/CVE-2018-1000159
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tlslite-ng-0.6.0/debian/changelog tlslite-ng-0.6.0/debian/changelog
--- tlslite-ng-0.6.0/debian/changelog 2016-11-16 16:32:34.0 +0100
+++ tlslite-ng-0.6.0/debian/changelog 2018-04-15 20:53:39.0 +0200
@@ -1,3 +1,10 @@
+tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium
+
+ * add verify-mac-even-if-the-padding-is-1-byte-long.patch,
+providing fix for CVE-2018-1000159 (Closes: #895728).
+
+ -- Daniel Stender Sun, 15 Apr 2018 20:53:39 +0200
+
tlslite-ng (0.6.0-1) unstable; urgency=medium
* New upstream release:
diff -Nru tlslite-ng-0.6.0/debian/patches/series
tlslite-ng-0.6.0/debian/patches/series
--- tlslite-ng-0.6.0/debian/patches/series 1970-01-01 01:00:00.0
+0100
+++ tlslite-ng-0.6.0/debian/patches/series 2018-04-15 20:53:37.0
+0200
@@ -0,0 +1 @@
+verify-mac-even-if-the-padding-is-1-byte-long.patch
diff -Nru
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
---
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
1970-01-01 01:00:00.0 +0100
+++
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
2018-04-15 20:45:32.0 +0200
@@ -0,0 +1,67 @@
+From 3674815d1b0f7484454995e2737a352e0a6a93d8 Mon Sep 17 00:00:00 2001
+From: Hubert Kario
+Date: Tue, 27 Mar 2018 15:26:18 +0200
+Subject: [PATCH] verify the mac even if the padding is 1 byte long
+
+off-by-one error on mac checking, if the padding is of
+minimal length (a single 0x00 byte), the mac is not
+checked and thus the return value is never falsified
+
+this fixes the issue
+---
+ tlslite/utils/constanttime.py | 2 +-
+ unit_tests/test_tlslite_utils_constanttime.py | 21 +
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/tlslite/utils/constanttime.py b/tlslite/utils/constanttime.py
+index 60322c14..d4f5b1ce 100644
+--- a/tlslite/utils/constanttime.py
b/tlslite/utils/constanttime.py
+@@ -170,7 +170,7 @@ def ct_check_cbc_mac_and_pad(data, mac, seqnumBytes,
contentType, version):
+ data_mac.update(compatHMAC(data[:start_pos]))
+
+ # don't check past the array end (already checked to be >= zero)
+-end_pos = data_len - 1 - mac.digest_size
++end_pos = data_len - mac.digest_size
+
+ # calculate all possible
+ for i in range(start_pos, end_pos): # constant for given overall length
+diff --git a/unit_tests/test_tlslite_utils_constanttime.py
b/unit_tests/test_tlslite_utils_constanttime.py
+index 0edaf3f4..0a6446d0 100644
+--- a/unit_tests/test_tlslite_utils_constanttime.py
b/unit_tests/test_tlslite_utils_constanttime.py
+@@ -16,6 +16,7 @@
+ from hypothesis import given, example
+ import hypothesis.strategies as st
+ from tlslite.utils.compat import compatHMAC
++from tlslite.utils.cryptomath import getRandomBytes
+ from tlslite.recordlayer import RecordLayer
+ import tlslite.utils.tlshashlib as hashlib
+ import hmac
+@@ -266,6 +267,26 @@ def test_with_invalid_hash(self):
+ self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
+ content_type, version))
+
++@given(i=st.integers(1, 20))
++def test_with_invalid_random_hash(self, i):
++key = compatHMAC(getRandomBytes(20))
++seqnum_bytes = bytearray(16)
++content_type = 0x15
++version = (3, 3)
++application_data = getRandomBytes(63)
++mac = hashlib.sha1
++
++data = self.data_prepare(application_data, seqnum_bytes, content_type,
++ version, mac, key)
++data[-i] ^= 0xff
++padding = bytearray(b'\x00')
++data += padding
++
++h = hmac.new(key, digestmod=mac)
++h.block_size = mac().block_size
++self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
++ content_type, version))
++
+ def test_with_invalid_pad(self):
+ key = compatHMAC(bytearray(20))
+ seqnum_bytes = bytea