Bug#863625: unblock: botan1.10/1.10.16-1

Ondřej Surý Mon, 29 May 2017 05:03:44 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package botan1.10

Dear release team,

botan1.10 1.10.16 contains only the fix for the RC bug #860072
(CVE-2017-2801: Incorrect comparison in X.509 DN strings) (+ changelog
entry + version bump), so I have decided to upload 1.10.16 directly
instead of patching the simple patch on top of 1.10.15.

(+ update to d/watch bundled to make it work again)

diffstat:

 botan_version.py                  |    6 +++---
 debian/changelog                  |    8 ++++++++
 debian/watch                      |    2 +-
 doc/log.txt                       |   10 ++++++++++
 src/alloc/alloc_mmap/mmap_mem.cpp |    3 +--
 src/utils/parsing.cpp             |    2 ++
 6 files changed, 25 insertions(+), 6 deletions(-)

unblock botan1.10/1.10.16-1

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 3.0 (quilt)
Source: botan1.10
Binary: botan1.10-dbg, libbotan-1.10-1, libbotan1.10-dev
Architecture: any
Version: 1.10.16-1
Maintainer: Ondřej Surý <ond...@debian.org>
Homepage: http://botan.randombit.net/
Standards-Version: 3.9.6
Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/botan1.10.git
Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/botan1.10.git
Build-Depends: debhelper (>= 9), libbz2-dev, libgmp3-dev, python, zlib1g-dev
Package-List:
 botan1.10-dbg deb debug extra arch=any
 libbotan-1.10-1 deb libs optional arch=any
 libbotan1.10-dev deb libdevel optional arch=any
Checksums-Sha1:
 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz
 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 
botan1.10_1.10.16-1.debian.tar.xz
Checksums-Sha256:
 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 
botan1.10_1.10.16.orig.tar.gz
 c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 
botan1.10_1.10.16-1.debian.tar.xz
Files:
 d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 botan1.10_1.10.16.orig.tar.gz
 d446e25344b6e0ad20f4ea390d619d97 40872 botan1.10_1.10.16-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwel5Q//WXrxeAk/nkyer1wymmhmlZ9mn79CInfKnvPeeT/OVDaljHfbC72X/W7/
Iphzb26ZBgFzbxXoIUarA4LWw9gz5TkIrW4jr8CO2lSShH9vVJ6IENCvYew9mrRe
ZctPI8mEkQL0NVsE9F//9p77aeuqM6sFhHEuW5HpuOg3HdrUjaRjrbFN1UHvhf0E
YeU3g15pwom6IwWwWpNTTXt/qXz+XGnTrZ6EjAzGX9nFeMUmlOYxZImRJNMW4xIp
++ixgm2AF21buKCqmzpVYe+nltUCcWI6VFC27XFDBZBcAg6kCo+vi2F4671ugRuu
bTLJ8r3+vfcaw1Il+zqUOybW5+d0+gxy9zS4DnnGY7zzbiwqtEPPBQP1c4+eXcoY
zUMeof3TvjNCcx4aViNRL9XXw5x2qKkdFfxND2MzpEaR+/I3bu3UG1+MIqVb1GaF
OqWBa+hx+NN+BhTJWl33LtDCEjw+f17OBKj4mVZgwVCalxSBLC2s7rTrj0DZ2f7L
fBhH7VTmjzbfnyudUnS6Joewu4nFqftUbT8eUJ8tg2ezqTiEw29pCgA5vI6mFQYE
sga1xfA6J1U3ZMgcyEfF7dlXC2Z4qtYXCmbT4KqS7mEA+r5GP9+TFnoSpEp0LCDU
rJBEYF0VnKfWUoQy+2SWKVRgyHSI0/GPhbYd4uP4wVTNjNYlHv0=
=Zz4K
-----END PGP SIGNATURE-----

diff -Nru botan1.10-1.10.15/botan_version.py botan1.10-1.10.16/botan_version.py
--- botan1.10-1.10.15/botan_version.py  2017-01-13 02:48:25.000000000 +0100
+++ botan1.10-1.10.16/botan_version.py  2017-04-05 03:07:02.000000000 +0200
@@ -1,11 +1,11 @@
 
 release_major = 1
 release_minor = 10
-release_patch = 15
+release_patch = 16
 
 release_so_abi_rev = 1
 
 # These are set by the distribution script
-release_vc_rev = 'git:f79e642ab8c09971968abdfe6990df6801711e1f'
-release_datestamp = 20170112
+release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
+release_datestamp = 20170404
 release_type = 'released'
diff -Nru botan1.10-1.10.15/debian/changelog botan1.10-1.10.16/debian/changelog
--- botan1.10-1.10.15/debian/changelog  2017-01-13 09:47:48.000000000 +0100
+++ botan1.10-1.10.16/debian/changelog  2017-05-29 13:45:02.000000000 +0200
@@ -1,3 +1,11 @@
+botan1.10 (1.10.16-1) unstable; urgency=high
+
+  * Update d/watch to match new upstream download directory
+  * New upstream version 1.10.16
+    + [CVE-2017-2801]: Incorrect comparison in X.509 DN strings
+
+ -- Ondřej Surý <ond...@debian.org>  Mon, 29 May 2017 13:45:02 +0200
+
 botan1.10 (1.10.15-1) unstable; urgency=medium
 
   * New upstream version 1.10.15
diff -Nru botan1.10-1.10.15/debian/watch botan1.10-1.10.16/debian/watch
--- botan1.10-1.10.15/debian/watch      2017-01-13 09:47:48.000000000 +0100
+++ botan1.10-1.10.16/debian/watch      2017-05-29 13:45:02.000000000 +0200
@@ -1,2 +1,2 @@
 version=3
-http://files.randombit.net/botan/v1.10/Botan-(.*)\.tbz
+https://botan.randombit.net/releases/Botan-(1\.10\.\d+).tgz
diff -Nru botan1.10-1.10.15/doc/log.txt botan1.10-1.10.16/doc/log.txt
--- botan1.10-1.10.15/doc/log.txt       2017-01-13 02:47:23.000000000 +0100
+++ botan1.10-1.10.16/doc/log.txt       2017-04-05 03:06:45.000000000 +0200
@@ -7,6 +7,16 @@
 Series 1.10
 ----------------------------------------
 
+Version 1.10.16, 2017-04-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a bug in X509 DN string comparisons that could result in out of bound
+  reads. This could result in information leakage, denial of service, or
+  potentially incorrect certificate validation results. (CVE-2017-2801)
+
+* Avoid throwing during a destructor since this is undefined in C++11
+  and rarely a good idea. (GH #930)
+
 Version 1.10.15, 2017-01-12
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff -Nru botan1.10-1.10.15/src/alloc/alloc_mmap/mmap_mem.cpp 
botan1.10-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp
--- botan1.10-1.10.15/src/alloc/alloc_mmap/mmap_mem.cpp 2017-01-13 
02:47:23.000000000 +0100
+++ botan1.10-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp 2017-04-05 
03:06:45.000000000 +0200
@@ -73,8 +73,7 @@
             * will continue to exist until the mmap is unmapped from
             * our address space upon deallocation (or process exit).
             */
-            if(fd != -1 && ::close(fd) == -1)
-               throw MemoryMapping_Failed("Could not close file");
+            fd != -1 && ::close(fd);
             }
       private:
          int fd;
diff -Nru botan1.10-1.10.15/src/utils/parsing.cpp 
botan1.10-1.10.16/src/utils/parsing.cpp
--- botan1.10-1.10.15/src/utils/parsing.cpp     2017-01-13 02:47:23.000000000 
+0100
+++ botan1.10-1.10.16/src/utils/parsing.cpp     2017-04-05 03:06:45.000000000 
+0200
@@ -230,6 +230,8 @@
 
          if(p1 == name1.end() && p2 == name2.end())
             return true;
+         if(p1 == name1.end() || p2 == name2.end())
+            return false;
          }
 
       if(!Charset::caseless_cmp(*p1, *p2))

botan1.10_1.10.16-1.debian.tar.xz
Description: application/xz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 May 2017 13:45:02 +0200
Source: botan1.10
Binary: botan1.10-dbg libbotan-1.10-1 libbotan1.10-dev
Architecture: source
Version: 1.10.16-1
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <ond...@debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description:
 botan1.10-dbg - multiplatform crypto library (debug)
 libbotan-1.10-1 - multiplatform crypto library
 libbotan1.10-dev - multiplatform crypto library (development)
Changes:
 botan1.10 (1.10.16-1) unstable; urgency=high
 .
   * Update d/watch to match new upstream download directory
   * New upstream version 1.10.16
     + [CVE-2017-2801]: Incorrect comparison in X.509 DN strings
Checksums-Sha1:
 cb6592f8eb22fae1d21fc5f919d6a50a35703c2a 2169 botan1.10_1.10.16-1.dsc
 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz
 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 
botan1.10_1.10.16-1.debian.tar.xz
 1e990d66efca65da796005039512ae1617212de4 6763 
botan1.10_1.10.16-1_amd64.buildinfo
Checksums-Sha256:
 471f1204c4b91cd68b4df306c004151523dc1f4c898a301bb1f128001b587604 2169 
botan1.10_1.10.16-1.dsc
 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 
botan1.10_1.10.16.orig.tar.gz
 c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 
botan1.10_1.10.16-1.debian.tar.xz
 168565f0ae3594e6652feb82508eac724f407342736b85c4ba6e53c5d2a4bf48 6763 
botan1.10_1.10.16-1_amd64.buildinfo
Files:
 c7b99c3605d84d80eef50051386870fa 2169 libs optional botan1.10_1.10.16-1.dsc
 d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 libs optional 
botan1.10_1.10.16.orig.tar.gz
 d446e25344b6e0ad20f4ea390d619d97 40872 libs optional 
botan1.10_1.10.16-1.debian.tar.xz
 07574a5df6d56752a9336ec101460d6c 6763 libs optional 
botan1.10_1.10.16-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwcybBAA76KfWNExespr09/PNZWYcCkkyH1VrJ4t8xspEFgFMAFhN6jnjg4kvKSm
y85V/MeMfNM5KKKURnHDZXkMqwvlut1IIMuUvf/6tfx4GnvMLraGgpjM6YqjNbE5
ferz1fPv/fBheGm7nrbvE1uUQQOPCLA7/PAY6kfRqJGMGaTk6m1S1kl4FyqxOIVF
K8IrlQhoUN0H7AVTCJzmhP2nOH9ClcBkxR+x/rlWsW7nrnscFl+Nh+qIzRgdoV+F
KqmRFXRqikrxkMhkRNzFOobSypRekAMAjUu71dXwyEluzmyHbmrkZVNZnMC3JUNL
5yljpD51e1D/3bMBfzlOvA+eC5W4m4kV4w5mnGhVRTlP3kxKHipkYdvkSTYg/85o
T9PhGih3qexpFIgP7oVotEapjAXGeETmkHrFm5Dnw4ffMlqA/Cjh5/TrFYwIRP1C
jCnvTEJJCKycn9LxKMrpM6kqXolkbY0YBNempv4q7VqoNawo0bvsGsuVA48wZqAc
BjmLZ/8DWYmvClM6CkGneYfMTHfm3H05Gv4sihbSXldiqKwJWJz0eOPrwViCye17
H6BiecLy7VhG11b4GvVMRMwLgzv2zui0IwIP2jn8YeGjUpdZocmUmgR9ioImvVpd
3ERr4G/vl2qe3r9eYMqwFm8l5i1M/2mf8+Ys1qBNNIpFU9ngTAk=
=hMv4
-----END PGP SIGNATURE-----

Bug#863625: unblock: botan1.10/1.10.16-1

Reply via email to