Bug#895766: stretch-pu: package tlslite-ng/0.6.0-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I hereby propose an update for stable/stretch of tlslite-ng. It contains
a patch fixing CVE-2018-1000159 [1]. The security issue was marked as being
no-dsa [2]. Please see the attached debdiff for details.
Thanks,
Daniel Stender
[1] https://bugs.debian.org/895728
[2] https://security-tracker.debian.org/tracker/CVE-2018-1000159
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru tlslite-ng-0.6.0/debian/changelog tlslite-ng-0.6.0/debian/changelog
--- tlslite-ng-0.6.0/debian/changelog 2016-11-16 16:32:34.000000000 +0100
+++ tlslite-ng-0.6.0/debian/changelog 2018-04-15 20:53:39.000000000 +0200
@@ -1,3 +1,10 @@
+tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium
+
+ * add verify-mac-even-if-the-padding-is-1-byte-long.patch,
+ providing fix for CVE-2018-1000159 (Closes: #895728).
+
+ -- Daniel Stender <stender@debian.org> Sun, 15 Apr 2018 20:53:39 +0200
+
tlslite-ng (0.6.0-1) unstable; urgency=medium
* New upstream release:
diff -Nru tlslite-ng-0.6.0/debian/patches/series tlslite-ng-0.6.0/debian/patches/series
--- tlslite-ng-0.6.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ tlslite-ng-0.6.0/debian/patches/series 2018-04-15 20:53:37.000000000 +0200
@@ -0,0 +1 @@
+verify-mac-even-if-the-padding-is-1-byte-long.patch
diff -Nru tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
--- tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch 1970-01-01 01:00:00.000000000 +0100
+++ tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch 2018-04-15 20:45:32.000000000 +0200
@@ -0,0 +1,67 @@
+From 3674815d1b0f7484454995e2737a352e0a6a93d8 Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Tue, 27 Mar 2018 15:26:18 +0200
+Subject: [PATCH] verify the mac even if the padding is 1 byte long
+
+off-by-one error on mac checking, if the padding is of
+minimal length (a single 0x00 byte), the mac is not
+checked and thus the return value is never falsified
+
+this fixes the issue
+---
+ tlslite/utils/constanttime.py | 2 +-
+ unit_tests/test_tlslite_utils_constanttime.py | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/tlslite/utils/constanttime.py b/tlslite/utils/constanttime.py
+index 60322c14..d4f5b1ce 100644
+--- a/tlslite/utils/constanttime.py
++++ b/tlslite/utils/constanttime.py
+@@ -170,7 +170,7 @@ def ct_check_cbc_mac_and_pad(data, mac, seqnumBytes, contentType, version):
+ data_mac.update(compatHMAC(data[:start_pos]))
+
+ # don't check past the array end (already checked to be >= zero)
+- end_pos = data_len - 1 - mac.digest_size
++ end_pos = data_len - mac.digest_size
+
+ # calculate all possible
+ for i in range(start_pos, end_pos): # constant for given overall length
+diff --git a/unit_tests/test_tlslite_utils_constanttime.py b/unit_tests/test_tlslite_utils_constanttime.py
+index 0edaf3f4..0a6446d0 100644
+--- a/unit_tests/test_tlslite_utils_constanttime.py
++++ b/unit_tests/test_tlslite_utils_constanttime.py
+@@ -16,6 +16,7 @@
+ from hypothesis import given, example
+ import hypothesis.strategies as st
+ from tlslite.utils.compat import compatHMAC
++from tlslite.utils.cryptomath import getRandomBytes
+ from tlslite.recordlayer import RecordLayer
+ import tlslite.utils.tlshashlib as hashlib
+ import hmac
+@@ -266,6 +267,26 @@ def test_with_invalid_hash(self):
+ self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
+ content_type, version))
+
++ @given(i=st.integers(1, 20))
++ def test_with_invalid_random_hash(self, i):
++ key = compatHMAC(getRandomBytes(20))
++ seqnum_bytes = bytearray(16)
++ content_type = 0x15
++ version = (3, 3)
++ application_data = getRandomBytes(63)
++ mac = hashlib.sha1
++
++ data = self.data_prepare(application_data, seqnum_bytes, content_type,
++ version, mac, key)
++ data[-i] ^= 0xff
++ padding = bytearray(b'\x00')
++ data += padding
++
++ h = hmac.new(key, digestmod=mac)
++ h.block_size = mac().block_size
++ self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
++ content_type, version))
++
+ def test_with_invalid_pad(self):
+ key = compatHMAC(bytearray(20))
+ seqnum_bytes = bytearray(16)
Reply to: