[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#685944: unblock: beaker/1.6.3-1.1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package beaker

It fixes a security issue ([CVE-2012-3458] #684890). I didn't touch the
urgency since we're in freeze and let it to your appreciation.

unblock beaker/1.6.3-1.1

Thanks in advance.

Regards

David

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diffstat for beaker-1.6.3 beaker-1.6.3

 changelog                       |    9 +++++++++
 patches/fix_CVE-2012-3458.patch |   36 ++++++++++++++++++++++++++++++++++++
 patches/series                  |    1 +
 3 files changed, 46 insertions(+)

diff -Nru beaker-1.6.3/debian/changelog beaker-1.6.3/debian/changelog
--- beaker-1.6.3/debian/changelog	2012-05-06 16:46:36.000000000 -0400
+++ beaker-1.6.3/debian/changelog	2012-08-24 13:54:40.000000000 -0400
@@ -1,3 +1,12 @@
+beaker (1.6.3-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix security issue, with PyCrypto not securing data such that an attacker
+    could possibly determine parts of the encrypted payload. Patch by Miloslav
+    Trmac of Redhat. [CVE-2012-3458] Closes: #684890
+
+ -- David Prévot <taffit@debian.org>  Fri, 24 Aug 2012 13:54:13 -0400
+
 beaker (1.6.3-1) unstable; urgency=low
 
   [ Andrey Rahmatullin ]
diff -Nru beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch
--- beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch	1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch	2012-08-24 14:04:48.000000000 -0400
@@ -0,0 +1,36 @@
+From: Ben Bangert <ben@groovie.org>
+Subject : Fix security issue CVE-2012-3458
+
+  Fix security issue, with PyCrypto not securing data such that an attacker
+  could possibly determine parts of the encrypted payload. Patch by Miloslav
+  Trmac of Redhat. [CVE-2012-3458]
+
+Origin: upstream, https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5
+Bug-Debian: http://bugs.debian.org/684890
+
+--- beaker-1.6.3.orig/beaker/crypto/pycrypto.py
++++ beaker-1.6.3/beaker/crypto/pycrypto.py
+@@ -15,17 +15,18 @@ try:
+ 
+ except ImportError:
+     from Crypto.Cipher import AES
++    from Crypto.Util import Counter
+ 
+     def aesEncrypt(data, key):
+-        cipher = AES.new(key)
++        cipher = AES.new(key, AES.MODE_CTR,
++                         counter=Counter.new(128, initial_value=0))
+ 
+-        data = data + (" " * (16 - (len(data) % 16)))
+         return cipher.encrypt(data)
+ 
+     def aesDecrypt(data, key):
+-        cipher = AES.new(key)
+-
+-        return cipher.decrypt(data).rstrip()
++        cipher = AES.new(key, AES.MODE_CTR,
++                         counter=Counter.new(128, initial_value=0))
++        return cipher.decrypt(data)
+ 
+ def getKeyLength():
+     return 32
diff -Nru beaker-1.6.3/debian/patches/series beaker-1.6.3/debian/patches/series
--- beaker-1.6.3/debian/patches/series	1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/series	2012-08-24 13:59:45.000000000 -0400
@@ -0,0 +1 @@
+fix_CVE-2012-3458.patch
Reply to: