Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455

[Moritz Muehlenhoff <jmm@inutil.org>]

On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote:
> On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote:
> > Please see the thread starting at
> > http://www.openwall.com/lists/oss-security/2012/09/07/2
> > for details.
> 
> I've had a quick look at this bug to see if it can be fixed in Debian.
> There are four patches referenced in the thread (I haven't verified if
> there are more patches required):
> 
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
>   32 files changed, 182 insertions(+), 1166 deletions(-)
>   This change is huge and mainly seems to be quivalent to setting
>   SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few
>   other changes in there which may be due to the removal of the
>   compatibility code.
>   This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed
>   to manually fix it (attached is a version if anyone is interested).
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
>   31 files changed, 2975 insertions(+), 280 deletions(-)
>   Lots of changes in the tests but it also seems to contain some
>   cleanups related to the previous change, a change from lock_shm() to
>   XProcLock(), some moving of locks to /var/lock and a few other
>   changes.
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
>   23 files changed, 449 insertions(+), 99 deletions(-)
>   Includes a FAQ typo fix and the introduction of a lot of new code.
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
>   1 files changed, 3 insertions(+), 3 deletions(-)
>   Very small change in the Makfile which creates the lock directory.
>   Should not be relevant for Debian because subdirectories of /var/lock
>   should be created on the fly.
> 
> The changes are huge and can probably not be easily backported to
> Debian's 2.3.1. A few other options come to mind:
> - see if upstream can provide patches for 2.3.1
> - see if the necessary fixes can be made some other way
> - upgrade to upstream 2.4.2
> - remove from wheezy
> (the only reverse dependency for opencryptoki seems to be tpm-tools)
> 
> Anyway, I don't think I can do much more for this bug because I'm afraid
> it will take a little more time than I have available at the moment. I
> was having a look and I though I would just add my notes to the bug log.
> 
> Good luck with this bug! ;)

Removing opencryptoki from Wheezy seems best to me. We should't keep
outdated crypto toolkits without an active maintainer in the archive.

CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools
is usable withput opencryptoki or whether he's interested in adopting
it himself.

Cheers,
        Moritz