Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package botan1.10 Dear release team, botan1.10 1.10.16 contains only the fix for the RC bug #860072 (CVE-2017-2801: Incorrect comparison in X.509 DN strings) (+ changelog entry + version bump), so I have decided to upload 1.10.16 directly instead of patching the simple patch on top of 1.10.15. (+ update to d/watch bundled to make it work again) diffstat: botan_version.py | 6 +++--- debian/changelog | 8 ++++++++ debian/watch | 2 +- doc/log.txt | 10 ++++++++++ src/alloc/alloc_mmap/mmap_mem.cpp | 3 +-- src/utils/parsing.cpp | 2 ++ 6 files changed, 25 insertions(+), 6 deletions(-) unblock botan1.10/1.10.16-1 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 3.0 (quilt) Source: botan1.10 Binary: botan1.10-dbg, libbotan-1.10-1, libbotan1.10-dev Architecture: any Version: 1.10.16-1 Maintainer: Ondřej Surý <ond...@debian.org> Homepage: http://botan.randombit.net/ Standards-Version: 3.9.6 Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/botan1.10.git Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/botan1.10.git Build-Depends: debhelper (>= 9), libbz2-dev, libgmp3-dev, python, zlib1g-dev Package-List: botan1.10-dbg deb debug extra arch=any libbotan-1.10-1 deb libs optional arch=any libbotan1.10-dev deb libdevel optional arch=any Checksums-Sha1: 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 botan1.10_1.10.16-1.debian.tar.xz Checksums-Sha256: 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 botan1.10_1.10.16.orig.tar.gz c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 botan1.10_1.10.16-1.debian.tar.xz Files: d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 botan1.10_1.10.16.orig.tar.gz d446e25344b6e0ad20f4ea390d619d97 40872 botan1.10_1.10.16-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8 uwel5Q//WXrxeAk/nkyer1wymmhmlZ9mn79CInfKnvPeeT/OVDaljHfbC72X/W7/ Iphzb26ZBgFzbxXoIUarA4LWw9gz5TkIrW4jr8CO2lSShH9vVJ6IENCvYew9mrRe ZctPI8mEkQL0NVsE9F//9p77aeuqM6sFhHEuW5HpuOg3HdrUjaRjrbFN1UHvhf0E YeU3g15pwom6IwWwWpNTTXt/qXz+XGnTrZ6EjAzGX9nFeMUmlOYxZImRJNMW4xIp ++ixgm2AF21buKCqmzpVYe+nltUCcWI6VFC27XFDBZBcAg6kCo+vi2F4671ugRuu bTLJ8r3+vfcaw1Il+zqUOybW5+d0+gxy9zS4DnnGY7zzbiwqtEPPBQP1c4+eXcoY zUMeof3TvjNCcx4aViNRL9XXw5x2qKkdFfxND2MzpEaR+/I3bu3UG1+MIqVb1GaF OqWBa+hx+NN+BhTJWl33LtDCEjw+f17OBKj4mVZgwVCalxSBLC2s7rTrj0DZ2f7L fBhH7VTmjzbfnyudUnS6Joewu4nFqftUbT8eUJ8tg2ezqTiEw29pCgA5vI6mFQYE sga1xfA6J1U3ZMgcyEfF7dlXC2Z4qtYXCmbT4KqS7mEA+r5GP9+TFnoSpEp0LCDU rJBEYF0VnKfWUoQy+2SWKVRgyHSI0/GPhbYd4uP4wVTNjNYlHv0= =Zz4K -----END PGP SIGNATURE-----
diff -Nru botan1.10-1.10.15/botan_version.py botan1.10-1.10.16/botan_version.py --- botan1.10-1.10.15/botan_version.py 2017-01-13 02:48:25.000000000 +0100 +++ botan1.10-1.10.16/botan_version.py 2017-04-05 03:07:02.000000000 +0200 @@ -1,11 +1,11 @@ release_major = 1 release_minor = 10 -release_patch = 15 +release_patch = 16 release_so_abi_rev = 1 # These are set by the distribution script -release_vc_rev = 'git:f79e642ab8c09971968abdfe6990df6801711e1f' -release_datestamp = 20170112 +release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e' +release_datestamp = 20170404 release_type = 'released' diff -Nru botan1.10-1.10.15/debian/changelog botan1.10-1.10.16/debian/changelog --- botan1.10-1.10.15/debian/changelog 2017-01-13 09:47:48.000000000 +0100 +++ botan1.10-1.10.16/debian/changelog 2017-05-29 13:45:02.000000000 +0200 @@ -1,3 +1,11 @@ +botan1.10 (1.10.16-1) unstable; urgency=high + + * Update d/watch to match new upstream download directory + * New upstream version 1.10.16 + + [CVE-2017-2801]: Incorrect comparison in X.509 DN strings + + -- Ondřej Surý <ond...@debian.org> Mon, 29 May 2017 13:45:02 +0200 + botan1.10 (1.10.15-1) unstable; urgency=medium * New upstream version 1.10.15 diff -Nru botan1.10-1.10.15/debian/watch botan1.10-1.10.16/debian/watch --- botan1.10-1.10.15/debian/watch 2017-01-13 09:47:48.000000000 +0100 +++ botan1.10-1.10.16/debian/watch 2017-05-29 13:45:02.000000000 +0200 @@ -1,2 +1,2 @@ version=3 -http://files.randombit.net/botan/v1.10/Botan-(.*)\.tbz +https://botan.randombit.net/releases/Botan-(1\.10\.\d+).tgz diff -Nru botan1.10-1.10.15/doc/log.txt botan1.10-1.10.16/doc/log.txt --- botan1.10-1.10.15/doc/log.txt 2017-01-13 02:47:23.000000000 +0100 +++ botan1.10-1.10.16/doc/log.txt 2017-04-05 03:06:45.000000000 +0200 @@ -7,6 +7,16 @@ Series 1.10 ---------------------------------------- +Version 1.10.16, 2017-04-04 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a bug in X509 DN string comparisons that could result in out of bound + reads. This could result in information leakage, denial of service, or + potentially incorrect certificate validation results. (CVE-2017-2801) + +* Avoid throwing during a destructor since this is undefined in C++11 + and rarely a good idea. (GH #930) + Version 1.10.15, 2017-01-12 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff -Nru botan1.10-1.10.15/src/alloc/alloc_mmap/mmap_mem.cpp botan1.10-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp --- botan1.10-1.10.15/src/alloc/alloc_mmap/mmap_mem.cpp 2017-01-13 02:47:23.000000000 +0100 +++ botan1.10-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp 2017-04-05 03:06:45.000000000 +0200 @@ -73,8 +73,7 @@ * will continue to exist until the mmap is unmapped from * our address space upon deallocation (or process exit). */ - if(fd != -1 && ::close(fd) == -1) - throw MemoryMapping_Failed("Could not close file"); + fd != -1 && ::close(fd); } private: int fd; diff -Nru botan1.10-1.10.15/src/utils/parsing.cpp botan1.10-1.10.16/src/utils/parsing.cpp --- botan1.10-1.10.15/src/utils/parsing.cpp 2017-01-13 02:47:23.000000000 +0100 +++ botan1.10-1.10.16/src/utils/parsing.cpp 2017-04-05 03:06:45.000000000 +0200 @@ -230,6 +230,8 @@ if(p1 == name1.end() && p2 == name2.end()) return true; + if(p1 == name1.end() || p2 == name2.end()) + return false; } if(!Charset::caseless_cmp(*p1, *p2))
botan1.10_1.10.16-1.debian.tar.xz
Description: application/xz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 29 May 2017 13:45:02 +0200 Source: botan1.10 Binary: botan1.10-dbg libbotan-1.10-1 libbotan1.10-dev Architecture: source Version: 1.10.16-1 Distribution: unstable Urgency: high Maintainer: Ondřej Surý <ond...@debian.org> Changed-By: Ondřej Surý <ond...@debian.org> Description: botan1.10-dbg - multiplatform crypto library (debug) libbotan-1.10-1 - multiplatform crypto library libbotan1.10-dev - multiplatform crypto library (development) Changes: botan1.10 (1.10.16-1) unstable; urgency=high . * Update d/watch to match new upstream download directory * New upstream version 1.10.16 + [CVE-2017-2801]: Incorrect comparison in X.509 DN strings Checksums-Sha1: cb6592f8eb22fae1d21fc5f919d6a50a35703c2a 2169 botan1.10_1.10.16-1.dsc 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 botan1.10_1.10.16-1.debian.tar.xz 1e990d66efca65da796005039512ae1617212de4 6763 botan1.10_1.10.16-1_amd64.buildinfo Checksums-Sha256: 471f1204c4b91cd68b4df306c004151523dc1f4c898a301bb1f128001b587604 2169 botan1.10_1.10.16-1.dsc 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 botan1.10_1.10.16.orig.tar.gz c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 botan1.10_1.10.16-1.debian.tar.xz 168565f0ae3594e6652feb82508eac724f407342736b85c4ba6e53c5d2a4bf48 6763 botan1.10_1.10.16-1_amd64.buildinfo Files: c7b99c3605d84d80eef50051386870fa 2169 libs optional botan1.10_1.10.16-1.dsc d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 libs optional botan1.10_1.10.16.orig.tar.gz d446e25344b6e0ad20f4ea390d619d97 40872 libs optional botan1.10_1.10.16-1.debian.tar.xz 07574a5df6d56752a9336ec101460d6c 6763 libs optional botan1.10_1.10.16-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8 uwcybBAA76KfWNExespr09/PNZWYcCkkyH1VrJ4t8xspEFgFMAFhN6jnjg4kvKSm y85V/MeMfNM5KKKURnHDZXkMqwvlut1IIMuUvf/6tfx4GnvMLraGgpjM6YqjNbE5 ferz1fPv/fBheGm7nrbvE1uUQQOPCLA7/PAY6kfRqJGMGaTk6m1S1kl4FyqxOIVF K8IrlQhoUN0H7AVTCJzmhP2nOH9ClcBkxR+x/rlWsW7nrnscFl+Nh+qIzRgdoV+F KqmRFXRqikrxkMhkRNzFOobSypRekAMAjUu71dXwyEluzmyHbmrkZVNZnMC3JUNL 5yljpD51e1D/3bMBfzlOvA+eC5W4m4kV4w5mnGhVRTlP3kxKHipkYdvkSTYg/85o T9PhGih3qexpFIgP7oVotEapjAXGeETmkHrFm5Dnw4ffMlqA/Cjh5/TrFYwIRP1C jCnvTEJJCKycn9LxKMrpM6kqXolkbY0YBNempv4q7VqoNawo0bvsGsuVA48wZqAc BjmLZ/8DWYmvClM6CkGneYfMTHfm3H05Gv4sihbSXldiqKwJWJz0eOPrwViCye17 H6BiecLy7VhG11b4GvVMRMwLgzv2zui0IwIP2jn8YeGjUpdZocmUmgR9ioImvVpd 3ERr4G/vl2qe3r9eYMqwFm8l5i1M/2mf8+Ys1qBNNIpFU9ngTAk= =hMv4 -----END PGP SIGNATURE-----