Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455
On Tue, Oct 30, 2012 at 06:21:07PM +0100, Moritz Muehlenhoff wrote:
> On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote:
> > On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote:
> > > Please see the thread starting at
> > > http://www.openwall.com/lists/oss-security/2012/09/07/2
> > > for details.
> > I've had a quick look at this bug to see if it can be fixed in Debian.
> > There are four patches referenced in the thread (I haven't verified if
> > there are more patches required):
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
> > 32 files changed, 182 insertions(+), 1166 deletions(-)
> > This change is huge and mainly seems to be quivalent to setting
> > SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few
> > other changes in there which may be due to the removal of the
> > compatibility code.
> > This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed
> > to manually fix it (attached is a version if anyone is interested).
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
> > 31 files changed, 2975 insertions(+), 280 deletions(-)
> > Lots of changes in the tests but it also seems to contain some
> > cleanups related to the previous change, a change from lock_shm() to
> > XProcLock(), some moving of locks to /var/lock and a few other
> > changes.
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
> > 23 files changed, 449 insertions(+), 99 deletions(-)
> > Includes a FAQ typo fix and the introduction of a lot of new code.
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
> > 1 files changed, 3 insertions(+), 3 deletions(-)
> > Very small change in the Makfile which creates the lock directory.
> > Should not be relevant for Debian because subdirectories of /var/lock
> > should be created on the fly.
> > The changes are huge and can probably not be easily backported to
> > Debian's 2.3.1. A few other options come to mind:
> > - see if upstream can provide patches for 2.3.1
> > - see if the necessary fixes can be made some other way
> > - upgrade to upstream 2.4.2
> > - remove from wheezy
> > (the only reverse dependency for opencryptoki seems to be tpm-tools)
> > Anyway, I don't think I can do much more for this bug because I'm afraid
> > it will take a little more time than I have available at the moment. I
> > was having a look and I though I would just add my notes to the bug log.
> > Good luck with this bug! ;)
> Removing opencryptoki from Wheezy seems best to me. We should't keep
> outdated crypto toolkits without an active maintainer in the archive.
> CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools
> is usable withput opencryptoki or whether he's interested in adopting
> it himself.
IMHO the best solution would be to upgrade opencryptoki, including
Wheezy. Trying to backport many patches will be complex to maintain and
will create a version that could be very different from upstream,
leading to bugs (on functionalities, and security).
tpm-tools can be compiled without opencryptoki, but this would disable
the pkcs#11 support and so loose some functionalities. Except the
dependency in debian/control, there should not be any other changes to