Bug#685944: marked as done (unblock: beaker/1.6.3-1.1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 26 Aug 2012 23:17:02 +0100
with message-id <90cb264e6fc1d197f146292e063bb38d@mail.adsl.funky-badger.org>
and subject line Re: Bug#685944: unblock: beaker/1.6.3-1.1
has caused the Debian Bug report #685944,
regarding unblock: beaker/1.6.3-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
685944: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685944
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: beaker/1.6.3-1.1
• From: David Prévot <taffit@debian.org>
• Date: Sun, 26 Aug 2012 17:33:37 -0400
• Message-id: <[🔎] 20120826213337.8648.42075.reportbug@mikado.tilapin.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package beaker

It fixes a security issue ([CVE-2012-3458] #684890). I didn't touch the
urgency since we're in freeze and let it to your appreciation.

unblock beaker/1.6.3-1.1

Thanks in advance.

Regards

David

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diffstat for beaker-1.6.3 beaker-1.6.3

 changelog                       |    9 +++++++++
 patches/fix_CVE-2012-3458.patch |   36 ++++++++++++++++++++++++++++++++++++
 patches/series                  |    1 +
 3 files changed, 46 insertions(+)

diff -Nru beaker-1.6.3/debian/changelog beaker-1.6.3/debian/changelog
--- beaker-1.6.3/debian/changelog	2012-05-06 16:46:36.000000000 -0400
+++ beaker-1.6.3/debian/changelog	2012-08-24 13:54:40.000000000 -0400
@@ -1,3 +1,12 @@
+beaker (1.6.3-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix security issue, with PyCrypto not securing data such that an attacker
+    could possibly determine parts of the encrypted payload. Patch by Miloslav
+    Trmac of Redhat. [CVE-2012-3458] Closes: #684890
+
+ -- David Prévot <taffit@debian.org>  Fri, 24 Aug 2012 13:54:13 -0400
+
 beaker (1.6.3-1) unstable; urgency=low
 
   [ Andrey Rahmatullin ]
diff -Nru beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch
--- beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch	1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch	2012-08-24 14:04:48.000000000 -0400
@@ -0,0 +1,36 @@
+From: Ben Bangert <ben@groovie.org>
+Subject : Fix security issue CVE-2012-3458
+
+  Fix security issue, with PyCrypto not securing data such that an attacker
+  could possibly determine parts of the encrypted payload. Patch by Miloslav
+  Trmac of Redhat. [CVE-2012-3458]
+
+Origin: upstream, https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5
+Bug-Debian: http://bugs.debian.org/684890
+
+--- beaker-1.6.3.orig/beaker/crypto/pycrypto.py
++++ beaker-1.6.3/beaker/crypto/pycrypto.py
+@@ -15,17 +15,18 @@ try:
+ 
+ except ImportError:
+     from Crypto.Cipher import AES
++    from Crypto.Util import Counter
+ 
+     def aesEncrypt(data, key):
+-        cipher = AES.new(key)
++        cipher = AES.new(key, AES.MODE_CTR,
++                         counter=Counter.new(128, initial_value=0))
+ 
+-        data = data + (" " * (16 - (len(data) % 16)))
+         return cipher.encrypt(data)
+ 
+     def aesDecrypt(data, key):
+-        cipher = AES.new(key)
+-
+-        return cipher.decrypt(data).rstrip()
++        cipher = AES.new(key, AES.MODE_CTR,
++                         counter=Counter.new(128, initial_value=0))
++        return cipher.decrypt(data)
+ 
+ def getKeyLength():
+     return 32
diff -Nru beaker-1.6.3/debian/patches/series beaker-1.6.3/debian/patches/series
--- beaker-1.6.3/debian/patches/series	1969-12-31 20:00:00.000000000 -0400
+++ beaker-1.6.3/debian/patches/series	2012-08-24 13:59:45.000000000 -0400
@@ -0,0 +1 @@
+fix_CVE-2012-3458.patch

--- End Message ---

--- Begin Message ---

• To: David Prévot <taffit@debian.org>, <685944-done@bugs.debian.org>
• Subject: Re: Bug#685944: unblock: beaker/1.6.3-1.1
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sun, 26 Aug 2012 23:17:02 +0100
• Message-id: <90cb264e6fc1d197f146292e063bb38d@mail.adsl.funky-badger.org>
• In-reply-to: <[🔎] 20120826213337.8648.42075.reportbug@mikado.tilapin.org>
• References: <[🔎] 20120826213337.8648.42075.reportbug@mikado.tilapin.org>

On 26.08.2012 22:33, David Prévot wrote:

Please unblock package beaker

It fixes a security issue ([CVE-2012-3458] #684890). I didn't touch the

urgency since we're in freeze and let it to your appreciation.

Unblocked; thanks.

Regards,

Adam

--- End Message ---