Your message dated Sat, 22 Jul 2017 13:18:56 +0100 with message-id <1500725936.14212.4.camel@adam-barratt.org.uk> and subject line Closing bugs for 8.9 fixes has caused the Debian Bug report #862167, regarding jessie-pu: package polarssl/1.3.9-2.1+deb8u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 862167: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862167 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package polarssl/1.3.9-2.1+deb8u2
- From: James Cowgill <jcowgill@debian.org>
- Date: Tue, 9 May 2017 11:42:58 +0100
- Message-id: <048bce9a-2ca6-66d3-bb2a-f1dff89cc058@debian.org>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, This polarssl update fixes CVE-2017-2784 (Freeing of memory allocated on stack when validating a public key with a secp224k1 curve) which is a no-DSA security issue. I've tested the CVE with the testcase which was added to mbedtls (and it passes only after the patch is applied). Unfortunately the test system is broken in polarssl (doesn't handle crashes) so adding the test to jessie won't have any affect on the builds unless the test system is fixed as well. Debdiff attached. Thanks, James -- System Information: Debian Release: 9.0 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)diff -Nru polarssl-1.3.9/debian/changelog polarssl-1.3.9/debian/changelog --- polarssl-1.3.9/debian/changelog 2016-02-06 13:29:38.000000000 +0000 +++ polarssl-1.3.9/debian/changelog 2017-05-09 09:42:21.000000000 +0100 @@ -1,3 +1,10 @@ +polarssl (1.3.9-2.1+deb8u2) jessie; urgency=high + + * Fix CVE-2017-2784: Freeing of memory allocated on stack when + validating a public key with a secp224k1 curve. (Closes: #857561) + + -- James Cowgill <jcowgill@debian.org> Tue, 09 May 2017 09:42:21 +0100 + polarssl (1.3.9-2.1+deb8u1) jessie-security; urgency=high * Non-maintainer upload. diff -Nru polarssl-1.3.9/debian/patches/CVE-2017-2784.patch polarssl-1.3.9/debian/patches/CVE-2017-2784.patch --- polarssl-1.3.9/debian/patches/CVE-2017-2784.patch 1970-01-01 01:00:00.000000000 +0100 +++ polarssl-1.3.9/debian/patches/CVE-2017-2784.patch 2017-05-09 09:36:13.000000000 +0100 @@ -0,0 +1,49 @@ +Description: Fix for CVE-2017-2784 + Fixed a bug that caused freeing a buffer that was allocated on the stack, + when verifying the validity of a key on secp224k1. This could be + triggered remotely for example with a maliciously constructed certificate + and might have led to remote code execution on some exotic embedded + platforms. Reported independently by rongsaws and Regina Wilson. + . + The function ecp_mod_koblitz computed the space for the result of a + multiplication optimally for that specific case, but unfortunately + the function mbedtls_mpi_mul_mpi performs a generic, suboptimal + calculation and needs one more limb for the result. Since the result's + buffer is on the stack, the best case scenario is that the program + stops. + . + This only happened on 64 bit platforms. +Origin: upstream, https://github.com/ARMmbed/mbedtls/commit/f5ffc79896681daddf7530646c0908f51a887dbd +Bug-Debian: https://bugs.debian.org/857561 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +--- a/library/ecp_curves.c ++++ b/library/ecp_curves.c +@@ -1268,7 +1268,7 @@ static inline int ecp_mod_koblitz( mpi * + int ret; + size_t i; + mpi M, R; +- t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R]; ++ t_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1]; + + if( N->n < p_limbs ) + return( 0 ); +@@ -1290,7 +1290,7 @@ static inline int ecp_mod_koblitz( mpi * + memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) ); + if( shift != 0 ) + MPI_CHK( mpi_shift_r( &M, shift ) ); +- M.n += R.n - adjust; /* Make room for multiplication by R */ ++ M.n += R.n; /* Make room for multiplication by R */ + + /* N = A0 */ + if( mask != 0 ) +@@ -1312,7 +1312,7 @@ static inline int ecp_mod_koblitz( mpi * + memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( t_uint ) ); + if( shift != 0 ) + MPI_CHK( mpi_shift_r( &M, shift ) ); +- M.n += R.n - adjust; /* Make room for multiplication by R */ ++ M.n += R.n; /* Make room for multiplication by R */ + + /* N = A0 */ + if( mask != 0 ) diff -Nru polarssl-1.3.9/debian/patches/series polarssl-1.3.9/debian/patches/series --- polarssl-1.3.9/debian/patches/series 2016-02-05 12:25:30.000000000 +0000 +++ polarssl-1.3.9/debian/patches/series 2017-05-09 09:42:14.000000000 +0100 @@ -5,3 +5,4 @@ CVE-2015-8036-Added-bounds-checking-for-TLS-extensions.patch CVE-2015-8036-Reordered-extension-fields-and-added-to-Cha.patch CVE-2015-8036-Add-extra-check-before-integer-conversion.patch +CVE-2017-2784.patchAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 843701-done@bugs.debian.org, 850440-done@bugs.debian.org, 858310-done@bugs.debian.org, 858846-done@bugs.debian.org, 861926-done@bugs.debian.org, 862167-done@bugs.debian.org, 862169-done@bugs.debian.org, 862173-done@bugs.debian.org, 862327-done@bugs.debian.org, 862353-done@bugs.debian.org, 862438-done@bugs.debian.org, 862456-done@bugs.debian.org, 862481-done@bugs.debian.org, 862498-done@bugs.debian.org, 862891-done@bugs.debian.org, 862960-done@bugs.debian.org, 862964-done@bugs.debian.org, 862976-done@bugs.debian.org, 862983-done@bugs.debian.org, 862986-done@bugs.debian.org, 862997-done@bugs.debian.org, 863049-done@bugs.debian.org, 863562-done@bugs.debian.org, 863682-done@bugs.debian.org, 863953-done@bugs.debian.org, 863970-done@bugs.debian.org, 864267-done@bugs.debian.org, 864745-done@bugs.debian.org, 864770-done@bugs.debian.org, 864910-done@bugs.debian.org, 864986-done@bugs.debian.org, 865102-done@bugs.debian.org, 865483-done@bugs.debian.org, 865763-done@bugs.debian.org, 866333-done@bugs.debian.org, 866517-done@bugs.debian.org, 866643-done@bugs.debian.org, 866967-done@bugs.debian.org, 867119-done@bugs.debian.org, 867328-done@bugs.debian.org, 867562-done@bugs.debian.org, 868106-done@bugs.debian.org, 868210-done@bugs.debian.org, 868211-done@bugs.debian.org, 868230-done@bugs.debian.org, 868241-done@bugs.debian.org, 868243-done@bugs.debian.org, 868567-done@bugs.debian.org
- Subject: Closing bugs for 8.9 fixes
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 22 Jul 2017 13:18:56 +0100
- Message-id: <1500725936.14212.4.camel@adam-barratt.org.uk>
Version: 8.9 Hi, These bugs all relate for updates which were included in today's jessie point release. Regards, Adam
--- End Message ---