[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863625: marked as done (unblock: botan1.10/1.10.16-1)

Your message dated Mon, 29 May 2017 13:36:13 +0100
with message-id <20170529123613.m4rtm2gho6kxm4m7@powdarrmonkey.net>
and subject line Re: Bug#863625: unblock: botan1.10/1.10.16-1
has caused the Debian Bug report #863625,
regarding unblock: botan1.10/1.10.16-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863625
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package botan1.10

Dear release team,

botan1.10 1.10.16 contains only the fix for the RC bug #860072
(CVE-2017-2801: Incorrect comparison in X.509 DN strings) (+ changelog
entry + version bump), so I have decided to upload 1.10.16 directly
instead of patching the simple patch on top of 1.10.15.

(+ update to d/watch bundled to make it work again)

diffstat:

 botan_version.py                  |    6 +++---
 debian/changelog                  |    8 ++++++++
 debian/watch                      |    2 +-
 doc/log.txt                       |   10 ++++++++++
 src/alloc/alloc_mmap/mmap_mem.cpp |    3 +--
 src/utils/parsing.cpp             |    2 ++
 6 files changed, 25 insertions(+), 6 deletions(-)

unblock botan1.10/1.10.16-1

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64
 (x86_64)

Kernel: Linux 4.4.0-67-generic (SMP w/24 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 3.0 (quilt)
Source: botan1.10
Binary: botan1.10-dbg, libbotan-1.10-1, libbotan1.10-dev
Architecture: any
Version: 1.10.16-1
Maintainer: Ondřej Surý <ondrej@debian.org>
Homepage: http://botan.randombit.net/
Standards-Version: 3.9.6
Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/botan1.10.git
Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/botan1.10.git
Build-Depends: debhelper (>= 9), libbz2-dev, libgmp3-dev, python, zlib1g-dev
Package-List:
 botan1.10-dbg deb debug extra arch=any
 libbotan-1.10-1 deb libs optional arch=any
 libbotan1.10-dev deb libdevel optional arch=any
Checksums-Sha1:
 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz
 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 botan1.10_1.10.16-1.debian.tar.xz
Checksums-Sha256:
 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 botan1.10_1.10.16.orig.tar.gz
 c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 botan1.10_1.10.16-1.debian.tar.xz
Files:
 d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 botan1.10_1.10.16.orig.tar.gz
 d446e25344b6e0ad20f4ea390d619d97 40872 botan1.10_1.10.16-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwel5Q//WXrxeAk/nkyer1wymmhmlZ9mn79CInfKnvPeeT/OVDaljHfbC72X/W7/
Iphzb26ZBgFzbxXoIUarA4LWw9gz5TkIrW4jr8CO2lSShH9vVJ6IENCvYew9mrRe
ZctPI8mEkQL0NVsE9F//9p77aeuqM6sFhHEuW5HpuOg3HdrUjaRjrbFN1UHvhf0E
YeU3g15pwom6IwWwWpNTTXt/qXz+XGnTrZ6EjAzGX9nFeMUmlOYxZImRJNMW4xIp
++ixgm2AF21buKCqmzpVYe+nltUCcWI6VFC27XFDBZBcAg6kCo+vi2F4671ugRuu
bTLJ8r3+vfcaw1Il+zqUOybW5+d0+gxy9zS4DnnGY7zzbiwqtEPPBQP1c4+eXcoY
zUMeof3TvjNCcx4aViNRL9XXw5x2qKkdFfxND2MzpEaR+/I3bu3UG1+MIqVb1GaF
OqWBa+hx+NN+BhTJWl33LtDCEjw+f17OBKj4mVZgwVCalxSBLC2s7rTrj0DZ2f7L
fBhH7VTmjzbfnyudUnS6Joewu4nFqftUbT8eUJ8tg2ezqTiEw29pCgA5vI6mFQYE
sga1xfA6J1U3ZMgcyEfF7dlXC2Z4qtYXCmbT4KqS7mEA+r5GP9+TFnoSpEp0LCDU
rJBEYF0VnKfWUoQy+2SWKVRgyHSI0/GPhbYd4uP4wVTNjNYlHv0=
=Zz4K
-----END PGP SIGNATURE-----

diff -Nru botan1.10-1.10.15/botan_version.py botan1.10-1.10.16/botan_version.py
--- botan1.10-1.10.15/botan_version.py	2017-01-13 02:48:25.000000000 +0100
+++ botan1.10-1.10.16/botan_version.py	2017-04-05 03:07:02.000000000 +0200
@@ -1,11 +1,11 @@
 
 release_major = 1
 release_minor = 10
-release_patch = 15
+release_patch = 16
 
 release_so_abi_rev = 1
 
 # These are set by the distribution script
-release_vc_rev = 'git:f79e642ab8c09971968abdfe6990df6801711e1f'
-release_datestamp = 20170112
+release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
+release_datestamp = 20170404
 release_type = 'released'
diff -Nru botan1.10-1.10.15/debian/changelog botan1.10-1.10.16/debian/changelog
--- botan1.10-1.10.15/debian/changelog	2017-01-13 09:47:48.000000000 +0100
+++ botan1.10-1.10.16/debian/changelog	2017-05-29 13:45:02.000000000 +0200
@@ -1,3 +1,11 @@
+botan1.10 (1.10.16-1) unstable; urgency=high
+
+  * Update d/watch to match new upstream download directory
+  * New upstream version 1.10.16
+    + [CVE-2017-2801]: Incorrect comparison in X.509 DN strings
+
+ -- Ondřej Surý <ondrej@debian.org>  Mon, 29 May 2017 13:45:02 +0200
+
 botan1.10 (1.10.15-1) unstable; urgency=medium
 
   * New upstream version 1.10.15
diff -Nru botan1.10-1.10.15/debian/watch botan1.10-1.10.16/debian/watch
--- botan1.10-1.10.15/debian/watch	2017-01-13 09:47:48.000000000 +0100
+++ botan1.10-1.10.16/debian/watch	2017-05-29 13:45:02.000000000 +0200
@@ -1,2 +1,2 @@
 version=3
-http://files.randombit.net/botan/v1.10/Botan-(.*)\.tbz
+https://botan.randombit.net/releases/Botan-(1\.10\.\d+).tgz
diff -Nru botan1.10-1.10.15/doc/log.txt botan1.10-1.10.16/doc/log.txt
--- botan1.10-1.10.15/doc/log.txt	2017-01-13 02:47:23.000000000 +0100
+++ botan1.10-1.10.16/doc/log.txt	2017-04-05 03:06:45.000000000 +0200
@@ -7,6 +7,16 @@
 Series 1.10
 ----------------------------------------
 
+Version 1.10.16, 2017-04-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a bug in X509 DN string comparisons that could result in out of bound
+  reads. This could result in information leakage, denial of service, or
+  potentially incorrect certificate validation results. (CVE-2017-2801)
+
+* Avoid throwing during a destructor since this is undefined in C++11
+  and rarely a good idea. (GH #930)
+
 Version 1.10.15, 2017-01-12
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff -Nru botan1.10-1.10.15/src/alloc/alloc_mmap/mmap_mem.cpp botan1.10-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp
--- botan1.10-1.10.15/src/alloc/alloc_mmap/mmap_mem.cpp	2017-01-13 02:47:23.000000000 +0100
+++ botan1.10-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp	2017-04-05 03:06:45.000000000 +0200
@@ -73,8 +73,7 @@
             * will continue to exist until the mmap is unmapped from
             * our address space upon deallocation (or process exit).
             */
-            if(fd != -1 && ::close(fd) == -1)
-               throw MemoryMapping_Failed("Could not close file");
+            fd != -1 && ::close(fd);
             }
       private:
          int fd;
diff -Nru botan1.10-1.10.15/src/utils/parsing.cpp botan1.10-1.10.16/src/utils/parsing.cpp
--- botan1.10-1.10.15/src/utils/parsing.cpp	2017-01-13 02:47:23.000000000 +0100
+++ botan1.10-1.10.16/src/utils/parsing.cpp	2017-04-05 03:06:45.000000000 +0200
@@ -230,6 +230,8 @@
 
          if(p1 == name1.end() && p2 == name2.end())
             return true;
+         if(p1 == name1.end() || p2 == name2.end())
+            return false;
          }
 
       if(!Charset::caseless_cmp(*p1, *p2))

Attachment: botan1.10_1.10.16-1.debian.tar.xz
Description: application/xz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 May 2017 13:45:02 +0200
Source: botan1.10
Binary: botan1.10-dbg libbotan-1.10-1 libbotan1.10-dev
Architecture: source
Version: 1.10.16-1
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
 botan1.10-dbg - multiplatform crypto library (debug)
 libbotan-1.10-1 - multiplatform crypto library
 libbotan1.10-dev - multiplatform crypto library (development)
Changes:
 botan1.10 (1.10.16-1) unstable; urgency=high
 .
   * Update d/watch to match new upstream download directory
   * New upstream version 1.10.16
     + [CVE-2017-2801]: Incorrect comparison in X.509 DN strings
Checksums-Sha1:
 cb6592f8eb22fae1d21fc5f919d6a50a35703c2a 2169 botan1.10_1.10.16-1.dsc
 697144c34b1bf77c5b2bc1ff4d08f69ee718782b 2711177 botan1.10_1.10.16.orig.tar.gz
 44fa04f97f5f5af94757774af5048a69f7a5725d 40872 botan1.10_1.10.16-1.debian.tar.xz
 1e990d66efca65da796005039512ae1617212de4 6763 botan1.10_1.10.16-1_amd64.buildinfo
Checksums-Sha256:
 471f1204c4b91cd68b4df306c004151523dc1f4c898a301bb1f128001b587604 2169 botan1.10_1.10.16-1.dsc
 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 2711177 botan1.10_1.10.16.orig.tar.gz
 c30b4631e788e6ec8c256c2eb6e572a4a31075e8563cfa7bcb05e68709e054d3 40872 botan1.10_1.10.16-1.debian.tar.xz
 168565f0ae3594e6652feb82508eac724f407342736b85c4ba6e53c5d2a4bf48 6763 botan1.10_1.10.16-1_amd64.buildinfo
Files:
 c7b99c3605d84d80eef50051386870fa 2169 libs optional botan1.10_1.10.16-1.dsc
 d0c88b523b5aeaaeaf7a3f39dd9d1f3e 2711177 libs optional botan1.10_1.10.16.orig.tar.gz
 d446e25344b6e0ad20f4ea390d619d97 40872 libs optional botan1.10_1.10.16-1.debian.tar.xz
 07574a5df6d56752a9336ec101460d6c 6763 libs optional botan1.10_1.10.16-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAlksDBhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcACgkQDJm3DvT8
uwcybBAA76KfWNExespr09/PNZWYcCkkyH1VrJ4t8xspEFgFMAFhN6jnjg4kvKSm
y85V/MeMfNM5KKKURnHDZXkMqwvlut1IIMuUvf/6tfx4GnvMLraGgpjM6YqjNbE5
ferz1fPv/fBheGm7nrbvE1uUQQOPCLA7/PAY6kfRqJGMGaTk6m1S1kl4FyqxOIVF
K8IrlQhoUN0H7AVTCJzmhP2nOH9ClcBkxR+x/rlWsW7nrnscFl+Nh+qIzRgdoV+F
KqmRFXRqikrxkMhkRNzFOobSypRekAMAjUu71dXwyEluzmyHbmrkZVNZnMC3JUNL
5yljpD51e1D/3bMBfzlOvA+eC5W4m4kV4w5mnGhVRTlP3kxKHipkYdvkSTYg/85o
T9PhGih3qexpFIgP7oVotEapjAXGeETmkHrFm5Dnw4ffMlqA/Cjh5/TrFYwIRP1C
jCnvTEJJCKycn9LxKMrpM6kqXolkbY0YBNempv4q7VqoNawo0bvsGsuVA48wZqAc
BjmLZ/8DWYmvClM6CkGneYfMTHfm3H05Gv4sihbSXldiqKwJWJz0eOPrwViCye17
H6BiecLy7VhG11b4GvVMRMwLgzv2zui0IwIP2jn8YeGjUpdZocmUmgR9ioImvVpd
3ERr4G/vl2qe3r9eYMqwFm8l5i1M/2mf8+Ys1qBNNIpFU9ngTAk=
=hMv4
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
On Mon, May 29, 2017 at 01:58:35PM +0200, Ondřej Surý wrote:
> botan1.10 1.10.16 contains only the fix for the RC bug #860072
> (CVE-2017-2801: Incorrect comparison in X.509 DN strings) (+ changelog
> entry + version bump), so I have decided to upload 1.10.16 directly
> instead of patching the simple patch on top of 1.10.15.

Unblocked.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---
Reply to: