Re: matrixssl
Hi Guido
Brian wrote in his mail that he had not tried to reproduce the crash.
Quote:
"...although I don't have any exploits test it with."
Best regards
// Ola
On Tue, Aug 23, 2016 at 7:22 AM, Guido Günther <agx@sigxcpu.org> wrote:
> On Mon, Aug 22, 2016 at 06:15:33PM +1000, Brian May wrote:
>> Brian May <bam@debian.org> writes:
>>
>> > I will have a look and see if I can hack^h^h^h^hpatch the Debian package
>> > to include the above security fix; although I don't have any exploits
>> > test it with.
>>
>> Ok, I have attached my proposed debdiff patch. It builds using sbuild. I
>> haven't claimed this package, and unlikely to have time to continue this
>> month. So if anybody wants to take over before then, feel free to do so.
>> --
>> Brian May <bam@debian.org>
>
>> diff -u matrixssl-1.8.8/debian/changelog matrixssl-1.8.8/debian/changelog
>> --- matrixssl-1.8.8/debian/changelog
>> +++ matrixssl-1.8.8/debian/changelog
>> @@ -1,3 +1,10 @@
>> +matrixssl (1.8.8-1+deb7u1) wheezy-security; urgency=high
>> +
>> + * Non-maintainer upload by the LTS Team.
>> + * Fix integer overflow in bn_reverse.
>> +
>> + -- Brian May <bam@debian.org> Mon, 22 Aug 2016 18:09:05 +1000
>> +
>> matrixssl (1.8.8-1) unstable; urgency=high
>>
>> * new upstream version.
>> diff -u matrixssl-1.8.8/debian/control matrixssl-1.8.8/debian/control
>> --- matrixssl-1.8.8/debian/control
>> +++ matrixssl-1.8.8/debian/control
>> @@ -2,7 +2,7 @@
>> Priority: optional
>> Section: libs
>> Maintainer: Gerrit Pape <pape@smarden.org>
>> -Build-Depends: dietlibc-dev [alpha amd64 arm hppa i386 ia64 mips mipsel powerpc ppc64 s390 sparc]
>> +Build-Depends: dietlibc-dev [alpha amd64 arm hppa i386 ia64 mips mipsel powerpc ppc64 s390 sparc], quilt
>> Standards-Version: 3.8.0.1
>>
>> Package: libmatrixssl1.8-dev
>> diff -u matrixssl-1.8.8/debian/rules matrixssl-1.8.8/debian/rules
>> --- matrixssl-1.8.8/debian/rules
>> +++ matrixssl-1.8.8/debian/rules
>> @@ -28,6 +28,7 @@
>> DIR =$(shell pwd)/debian/libmatrixssl$(SOVER)
>>
>> unpack: deb-checkdir unpack-gnu-stamp unpack-diet-stamp
>> + quilt push -a
>> unpack-gnu-stamp:
>> mkdir -p gnu/static gnu/shared
>> (cd gnu/static && tar xzf - && ln -s matrixssl* matrixssl) <'$(TARGZ)'
>> @@ -61,6 +62,7 @@
>> touch build-diet-stamp
>>
>> clean: deb-checkdir deb-checkuid
>> + quilt pop -a || true
>> rm -rf gnu diet examples
>> rm -f unpack-gnu-stamp unpack-diet-stamp build-gnu-stamp \
>> build-diet-stamp
>> only in patch2:
>> unchanged:
>> --- matrixssl-1.8.8.orig/.pc/.quilt_patches
>> +++ matrixssl-1.8.8/.pc/.quilt_patches
>> @@ -0,0 +1 @@
>> +debian/patches
>> only in patch2:
>> unchanged:
>> --- matrixssl-1.8.8.orig/.pc/.quilt_series
>> +++ matrixssl-1.8.8/.pc/.quilt_series
>> @@ -0,0 +1 @@
>> +series
>> only in patch2:
>> unchanged:
>> --- matrixssl-1.8.8.orig/.pc/.version
>> +++ matrixssl-1.8.8/.pc/.version
>> @@ -0,0 +1 @@
>> +2
>> only in patch2:
>> unchanged:
>> --- matrixssl-1.8.8.orig/debian/patches/fix-bn_reverse.patch
>> +++ matrixssl-1.8.8/debian/patches/fix-bn_reverse.patch
>> @@ -0,0 +1,36 @@
>> +--- a/diet/matrixssl-1-8-8-open/src/crypto/peersec/mpi.c
>> ++++ b/diet/matrixssl-1-8-8-open/src/crypto/peersec/mpi.c
>> +@@ -945,6 +945,9 @@
>> + int32 ix, iy;
>> + unsigned char t;
>> +
>> ++ if (len == 0) {
>> ++ return;
>> ++ }
>> + ix = 0;
>> + iy = len - 1;
>> + while (ix < iy) {
>> +--- a/gnu/shared/matrixssl-1-8-8-open/src/crypto/peersec/mpi.c
>> ++++ b/gnu/shared/matrixssl-1-8-8-open/src/crypto/peersec/mpi.c
>> +@@ -945,6 +945,9 @@
>> + int32 ix, iy;
>> + unsigned char t;
>> +
>> ++ if (len == 0) {
>> ++ return;
>> ++ }
>> + ix = 0;
>> + iy = len - 1;
>> + while (ix < iy) {
>> +--- a/gnu/static/matrixssl-1-8-8-open/src/crypto/peersec/mpi.c
>> ++++ b/gnu/static/matrixssl-1-8-8-open/src/crypto/peersec/mpi.c
>> +@@ -945,6 +945,9 @@
>> + int32 ix, iy;
>> + unsigned char t;
>> +
>> ++ if (len == 0) {
>> ++ return;
>> ++ }
>> + ix = 0;
>> + iy = len - 1;
>> + while (ix < iy) {
>> only in patch2:
>> unchanged:
>> --- matrixssl-1.8.8.orig/debian/patches/series
>> +++ matrixssl-1.8.8/debian/patches/series
>> @@ -0,0 +1 @@
>> +fix-bn_reverse.patch
>
> Having the same hunk three times isn't pretty but I don't have a great
> idea how this can be done better in the current packaging either.
>
> Did you try to reproduce the crash mentioned in the CVE details?
>
> Cheers,
> -- Guido
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: