[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of erlang?

Hello Sergei,

On Sun, 10 Dec 2017, Sergei Golovan wrote:
> On Sun, Dec 10, 2017 at 9:52 PM, Thorsten Alteholz <debian@alteholz.de> wrote:
> > Hi Sergei,
> >
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of erlang:
> > https://security-tracker.debian.org/tracker/source-package/erlang
> >
> > Would you like to take care of this yourself?
> 
> I would love to, but there's a problem. The existing fixes can't be applied to
> the version in wheezy because it's fairly old, and the ssl application codebase
> has been changed considerably. So, basically, I'd have to recreate the
> fix myself. And I'm not sure I have time for this till next week.
> 
> Though I can test an existing patch if any.

I tried to backport the patch from version 18 for the version that we have
in wheezy. The resulting patch is attached. I'm not quite sure that the
patch is correct.

Can you review it and test it?

The package builds fine with this patch (my debdiff is also attached)
but I did not do any other test.

The binary packages for amd64 are here:
$ dget https://people.debian.org/~hertzog/packages/erlang_15.b.1-dfsg-4+deb7u2_amd64.changes

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Description: Fix CVE-2017-1000385
 This is a backport of the upstream patch on version 18.3.4.7
 which fixes the Adaptive Chosen Ciphertext attack allowing
 plaintext recovery or MITM attack.
Origin: backport, https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0
Last-Update: 2017-12-12

--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -75,6 +75,7 @@
 	  session_cache,        % 
 	  session_cache_cb,     %
           negotiated_version,   % tls_version()
+          client_hello_version, % tls_version()
           supported_protocol_versions, % [atom()]
           client_certificate_requested = false,
 	  key_algorithm,       % atom as defined by cipher_suite
@@ -416,6 +417,7 @@ hello(Hello = #client_hello{client_versi
             do_server_hello(Type, State#state{connection_states  = 
 					      ConnectionStates,
 					      negotiated_version = Version,
+					      client_hello_version = ClientVersion,
 					      session = Session});
         #alert{} = Alert ->
             handle_own_alert(Alert, ClientVersion, hello, State), 
@@ -604,10 +606,27 @@ certify(Msg, State) ->
 
 certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS},
 			    #state{negotiated_version = Version,
+				   client_hello_version = {Major, Minor} = ClientVersion,
 				   connection_states = ConnectionStates0,
 				   session = Session0,
 				   private_key = Key} = State0) ->
-    PremasterSecret = ssl_handshake:decrypt_premaster_secret(EncPMS, Key),
+    %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret
+    %% and fail handshake later.RFC 5246 section 7.4.7.1.
+    PremasterSecret =
+        try ssl_handshake:decrypt_premaster_secret(EncPMS, Key) of
+            Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES ->
+                case Secret of
+                    <<?BYTE(Major), ?BYTE(Minor), _/binary>> -> %% Correct
+                        Secret;
+                    <<?BYTE(_), ?BYTE(_), Rest/binary>> -> %% Version mismatch
+                        <<?BYTE(Major), ?BYTE(Minor), Rest/binary>>
+                end;
+            _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES
+                make_premaster_secret(ClientVersion, rsa)
+        catch
+            #alert{description = ?DECRYPT_ERROR} ->
+                make_premaster_secret(ClientVersion, rsa)
+        end,
     case ssl_handshake:master_secret(Version, PremasterSecret,
 				     ConnectionStates0, server) of
 	{MasterSecret, ConnectionStates} ->

diff -u erlang-15.b.1-dfsg/debian/changelog erlang-15.b.1-dfsg/debian/changelog
--- erlang-15.b.1-dfsg/debian/changelog
+++ erlang-15.b.1-dfsg/debian/changelog
@@ -1,3 +1,10 @@
+erlang (1:15.b.1-dfsg-4+deb7u2) wheezy-security; urgency=medium
+
+  * Fix CVE-2017-1000385: TLS server vulnerable to Adaptive Chosen Ciphertext
+    attack allowing plaintext recovery of encrypted messages or MITM attack.
+
+ -- Raphaël Hertzog <hertzog@debian.org>  Tue, 12 Dec 2017 12:16:47 +0100
+
 erlang (1:15.b.1-dfsg-4+deb7u1) stable-proposed-updates; urgency=low
 
   * Check the user, file, dir names for <CR> and <LF> in them in ftp module,
diff -u erlang-15.b.1-dfsg/debian/patches/series erlang-15.b.1-dfsg/debian/patches/series
--- erlang-15.b.1-dfsg/debian/patches/series
+++ erlang-15.b.1-dfsg/debian/patches/series
@@ -12,0 +13 @@
+CVE-2017-1000385.patch
only in patch2:
unchanged:
--- erlang-15.b.1-dfsg.orig/debian/patches/CVE-2017-1000385.patch
+++ erlang-15.b.1-dfsg/debian/patches/CVE-2017-1000385.patch
@@ -0,0 +1,54 @@
+Description: Fix CVE-2017-1000385
+ This is a backport of the upstream patch on version 18.3.4.7
+ which fixes the Adaptive Chosen Ciphertext attack allowing
+ plaintext recovery or MITM attack.
+Origin: backport, https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0
+Last-Update: 2017-12-12
+
+--- a/lib/ssl/src/ssl_connection.erl
++++ b/lib/ssl/src/ssl_connection.erl
+@@ -75,6 +75,7 @@
+ 	  session_cache,        % 
+ 	  session_cache_cb,     %
+           negotiated_version,   % tls_version()
++          client_hello_version, % tls_version()
+           supported_protocol_versions, % [atom()]
+           client_certificate_requested = false,
+ 	  key_algorithm,       % atom as defined by cipher_suite
+@@ -416,6 +417,7 @@ hello(Hello = #client_hello{client_versi
+             do_server_hello(Type, State#state{connection_states  = 
+ 					      ConnectionStates,
+ 					      negotiated_version = Version,
++					      client_hello_version = ClientVersion,
+ 					      session = Session});
+         #alert{} = Alert ->
+             handle_own_alert(Alert, ClientVersion, hello, State), 
+@@ -604,10 +606,27 @@ certify(Msg, State) ->
+ 
+ certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS},
+ 			    #state{negotiated_version = Version,
++				   client_hello_version = {Major, Minor} = ClientVersion,
+ 				   connection_states = ConnectionStates0,
+ 				   session = Session0,
+ 				   private_key = Key} = State0) ->
+-    PremasterSecret = ssl_handshake:decrypt_premaster_secret(EncPMS, Key),
++    %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret
++    %% and fail handshake later.RFC 5246 section 7.4.7.1.
++    PremasterSecret =
++        try ssl_handshake:decrypt_premaster_secret(EncPMS, Key) of
++            Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES ->
++                case Secret of
++                    <<?BYTE(Major), ?BYTE(Minor), _/binary>> -> %% Correct
++                        Secret;
++                    <<?BYTE(_), ?BYTE(_), Rest/binary>> -> %% Version mismatch
++                        <<?BYTE(Major), ?BYTE(Minor), Rest/binary>>
++                end;
++            _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES
++                make_premaster_secret(ClientVersion, rsa)
++        catch
++            #alert{description = ?DECRYPT_ERROR} ->
++                make_premaster_secret(ClientVersion, rsa)
++        end,
+     case ssl_handshake:master_secret(Version, PremasterSecret,
+ 				     ConnectionStates0, server) of
+ 	{MasterSecret, ConnectionStates} ->
Reply to: