--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package beaker
It fixes a security issue ([CVE-2012-3458] #684890). I didn't touch the
urgency since we're in freeze and let it to your appreciation.
unblock beaker/1.6.3-1.1
Thanks in advance.
Regards
David
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diffstat for beaker-1.6.3 beaker-1.6.3
changelog | 9 +++++++++
patches/fix_CVE-2012-3458.patch | 36 ++++++++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 46 insertions(+)
diff -Nru beaker-1.6.3/debian/changelog beaker-1.6.3/debian/changelog
--- beaker-1.6.3/debian/changelog 2012-05-06 16:46:36.000000000 -0400
+++ beaker-1.6.3/debian/changelog 2012-08-24 13:54:40.000000000 -0400
@@ -1,3 +1,12 @@
+beaker (1.6.3-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix security issue, with PyCrypto not securing data such that an attacker
+ could possibly determine parts of the encrypted payload. Patch by Miloslav
+ Trmac of Redhat. [CVE-2012-3458] Closes: #684890
+
+ -- David Prévot <taffit@debian.org> Fri, 24 Aug 2012 13:54:13 -0400
+
beaker (1.6.3-1) unstable; urgency=low
[ Andrey Rahmatullin ]
diff -Nru beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch
--- beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 2012-08-24 14:04:48.000000000 -0400
@@ -0,0 +1,36 @@
+From: Ben Bangert <ben@groovie.org>
+Subject : Fix security issue CVE-2012-3458
+
+ Fix security issue, with PyCrypto not securing data such that an attacker
+ could possibly determine parts of the encrypted payload. Patch by Miloslav
+ Trmac of Redhat. [CVE-2012-3458]
+
+Origin: upstream, https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5
+Bug-Debian: http://bugs.debian.org/684890
+
+--- beaker-1.6.3.orig/beaker/crypto/pycrypto.py
++++ beaker-1.6.3/beaker/crypto/pycrypto.py
+@@ -15,17 +15,18 @@ try:
+
+ except ImportError:
+ from Crypto.Cipher import AES
++ from Crypto.Util import Counter
+
+ def aesEncrypt(data, key):
+- cipher = AES.new(key)
++ cipher = AES.new(key, AES.MODE_CTR,
++ counter=Counter.new(128, initial_value=0))
+
+- data = data + (" " * (16 - (len(data) % 16)))
+ return cipher.encrypt(data)
+
+ def aesDecrypt(data, key):
+- cipher = AES.new(key)
+-
+- return cipher.decrypt(data).rstrip()
++ cipher = AES.new(key, AES.MODE_CTR,
++ counter=Counter.new(128, initial_value=0))
++ return cipher.decrypt(data)
+
+ def getKeyLength():
+ return 32
diff -Nru beaker-1.6.3/debian/patches/series beaker-1.6.3/debian/patches/series
--- beaker-1.6.3/debian/patches/series 1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/series 2012-08-24 13:59:45.000000000 -0400
@@ -0,0 +1 @@
+fix_CVE-2012-3458.patch
--- End Message ---