Bug#895766: stretch-pu: package tlslite-ng/0.6.0-1+deb9u1

[Daniel Stender]

On 07/01/2018 07:52 PM, Adam D. Barratt wrote:

Control: tags -1 + confirmed

On Sun, 2018-04-15 at 21:02 +0200, Daniel Stender wrote:

I hereby propose an update for stable/stretch of tlslite-ng. It
contains
a patch fixing CVE-2018-1000159 [1]. The security issue was marked as
being
no-dsa [2]. Please see the attached debdiff for details.



+tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium

We generally prefer the distribution to be specified by codename - i.e.
"stretch", rather than "stable".

Please feel free to upload.

Regards,

Adam


Ah, yes. I've changed that and rebuild, uploaded.

Thanks,
Daniel Stender

--
4096R/DF5182C8 (sten...@debian.org)
http://www.danielstender.com/

Bug#895766: stretch-pu: package tlslite-ng/0.6.0-1+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2018-04-15 at 21:02 +0200, Daniel Stender wrote:
> I hereby propose an update for stable/stretch of tlslite-ng. It
> contains
> a patch fixing CVE-2018-1000159 [1]. The security issue was marked as
> being
> no-dsa [2]. Please see the attached debdiff for details.
> 

+tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium

We generally prefer the distribution to be specified by codename - i.e.
"stretch", rather than "stable".

Please feel free to upload.

Regards,

Adam

Bug#895766: stretch-pu: package tlslite-ng/0.6.0-1+deb9u1

[Daniel Stender]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

I hereby propose an update for stable/stretch of tlslite-ng. It contains
a patch fixing CVE-2018-1000159 [1]. The security issue was marked as being
no-dsa [2]. Please see the attached debdiff for details.

Thanks,
Daniel Stender

[1] https://bugs.debian.org/895728

[2] https://security-tracker.debian.org/tracker/CVE-2018-1000159

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tlslite-ng-0.6.0/debian/changelog tlslite-ng-0.6.0/debian/changelog
--- tlslite-ng-0.6.0/debian/changelog   2016-11-16 16:32:34.0 +0100
+++ tlslite-ng-0.6.0/debian/changelog   2018-04-15 20:53:39.0 +0200
@@ -1,3 +1,10 @@
+tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium
+
+  * add verify-mac-even-if-the-padding-is-1-byte-long.patch,
+providing fix for CVE-2018-1000159 (Closes: #895728).
+
+ -- Daniel Stender   Sun, 15 Apr 2018 20:53:39 +0200
+
 tlslite-ng (0.6.0-1) unstable; urgency=medium
 
   * New upstream release:
diff -Nru tlslite-ng-0.6.0/debian/patches/series 
tlslite-ng-0.6.0/debian/patches/series
--- tlslite-ng-0.6.0/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ tlslite-ng-0.6.0/debian/patches/series  2018-04-15 20:53:37.0 
+0200
@@ -0,0 +1 @@
+verify-mac-even-if-the-padding-is-1-byte-long.patch
diff -Nru 
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
 
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
--- 
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
 1970-01-01 01:00:00.0 +0100
+++ 
tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
 2018-04-15 20:45:32.0 +0200
@@ -0,0 +1,67 @@
+From 3674815d1b0f7484454995e2737a352e0a6a93d8 Mon Sep 17 00:00:00 2001
+From: Hubert Kario 
+Date: Tue, 27 Mar 2018 15:26:18 +0200
+Subject: [PATCH] verify the mac even if the padding is 1 byte long
+
+off-by-one error on mac checking, if the padding is of
+minimal length (a single 0x00 byte), the mac is not
+checked and thus the return value is never falsified
+
+this fixes the issue
+---
+ tlslite/utils/constanttime.py |  2 +-
+ unit_tests/test_tlslite_utils_constanttime.py | 21 +
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/tlslite/utils/constanttime.py b/tlslite/utils/constanttime.py
+index 60322c14..d4f5b1ce 100644
+--- a/tlslite/utils/constanttime.py
 b/tlslite/utils/constanttime.py
+@@ -170,7 +170,7 @@ def ct_check_cbc_mac_and_pad(data, mac, seqnumBytes, 
contentType, version):
+ data_mac.update(compatHMAC(data[:start_pos]))
+ 
+ # don't check past the array end (already checked to be >= zero)
+-end_pos = data_len - 1 - mac.digest_size
++end_pos = data_len - mac.digest_size
+ 
+ # calculate all possible
+ for i in range(start_pos, end_pos): # constant for given overall length
+diff --git a/unit_tests/test_tlslite_utils_constanttime.py 
b/unit_tests/test_tlslite_utils_constanttime.py
+index 0edaf3f4..0a6446d0 100644
+--- a/unit_tests/test_tlslite_utils_constanttime.py
 b/unit_tests/test_tlslite_utils_constanttime.py
+@@ -16,6 +16,7 @@
+ from hypothesis import given, example
+ import hypothesis.strategies as st
+ from tlslite.utils.compat import compatHMAC
++from tlslite.utils.cryptomath import getRandomBytes
+ from tlslite.recordlayer import RecordLayer
+ import tlslite.utils.tlshashlib as hashlib
+ import hmac
+@@ -266,6 +267,26 @@ def test_with_invalid_hash(self):
+ self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
+   content_type, version))
+ 
++@given(i=st.integers(1, 20))
++def test_with_invalid_random_hash(self, i):
++key = compatHMAC(getRandomBytes(20))
++seqnum_bytes = bytearray(16)
++content_type = 0x15
++version = (3, 3)
++application_data = getRandomBytes(63)
++mac = hashlib.sha1
++
++data = self.data_prepare(application_data, seqnum_bytes, content_type,
++ version, mac, key)
++data[-i] ^= 0xff
++padding = bytearray(b'\x00')
++data += padding
++
++h = hmac.new(key, digestmod=mac)
++h.block_size = mac().block_size
++self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
++  content_type, version))
++
+ def test_with_invalid_pad(self):
+ key = compatHMAC(bytearray(20))
+ seqnum_bytes = bytea