Bug#895766: stretch-pu: package tlslite-ng/0.6.0-1+deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#895766: stretch-pu: package tlslite-ng/0.6.0-1+deb9u1
From: Daniel Stender <debian@danielstender.com>
Date: Sun, 15 Apr 2018 21:02:22 +0200
Message-id: <[🔎] 152381894261.31309.9100170119060707762.reportbug@varuna>
Reply-to: Daniel Stender <debian@danielstender.com>, 895766@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

I hereby propose an update for stable/stretch of tlslite-ng. It contains
a patch fixing CVE-2018-1000159 [1]. The security issue was marked as being
no-dsa [2]. Please see the attached debdiff for details.

Thanks,
Daniel Stender

[1] https://bugs.debian.org/895728

[2] https://security-tracker.debian.org/tracker/CVE-2018-1000159

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru tlslite-ng-0.6.0/debian/changelog tlslite-ng-0.6.0/debian/changelog
--- tlslite-ng-0.6.0/debian/changelog	2016-11-16 16:32:34.000000000 +0100
+++ tlslite-ng-0.6.0/debian/changelog	2018-04-15 20:53:39.000000000 +0200
@@ -1,3 +1,10 @@
+tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium
+
+  * add verify-mac-even-if-the-padding-is-1-byte-long.patch,
+    providing fix for CVE-2018-1000159 (Closes: #895728).
+
+ -- Daniel Stender <stender@debian.org>  Sun, 15 Apr 2018 20:53:39 +0200
+
 tlslite-ng (0.6.0-1) unstable; urgency=medium
 
   * New upstream release:
diff -Nru tlslite-ng-0.6.0/debian/patches/series tlslite-ng-0.6.0/debian/patches/series
--- tlslite-ng-0.6.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ tlslite-ng-0.6.0/debian/patches/series	2018-04-15 20:53:37.000000000 +0200
@@ -0,0 +1 @@
+verify-mac-even-if-the-padding-is-1-byte-long.patch
diff -Nru tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch
--- tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch	1970-01-01 01:00:00.000000000 +0100
+++ tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch	2018-04-15 20:45:32.000000000 +0200
@@ -0,0 +1,67 @@
+From 3674815d1b0f7484454995e2737a352e0a6a93d8 Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Tue, 27 Mar 2018 15:26:18 +0200
+Subject: [PATCH] verify the mac even if the padding is 1 byte long
+
+off-by-one error on mac checking, if the padding is of
+minimal length (a single 0x00 byte), the mac is not
+checked and thus the return value is never falsified
+
+this fixes the issue
+---
+ tlslite/utils/constanttime.py                 |  2 +-
+ unit_tests/test_tlslite_utils_constanttime.py | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/tlslite/utils/constanttime.py b/tlslite/utils/constanttime.py
+index 60322c14..d4f5b1ce 100644
+--- a/tlslite/utils/constanttime.py
++++ b/tlslite/utils/constanttime.py
+@@ -170,7 +170,7 @@ def ct_check_cbc_mac_and_pad(data, mac, seqnumBytes, contentType, version):
+     data_mac.update(compatHMAC(data[:start_pos]))
+ 
+     # don't check past the array end (already checked to be >= zero)
+-    end_pos = data_len - 1 - mac.digest_size
++    end_pos = data_len - mac.digest_size
+ 
+     # calculate all possible
+     for i in range(start_pos, end_pos): # constant for given overall length
+diff --git a/unit_tests/test_tlslite_utils_constanttime.py b/unit_tests/test_tlslite_utils_constanttime.py
+index 0edaf3f4..0a6446d0 100644
+--- a/unit_tests/test_tlslite_utils_constanttime.py
++++ b/unit_tests/test_tlslite_utils_constanttime.py
+@@ -16,6 +16,7 @@
+ from hypothesis import given, example
+ import hypothesis.strategies as st
+ from tlslite.utils.compat import compatHMAC
++from tlslite.utils.cryptomath import getRandomBytes
+ from tlslite.recordlayer import RecordLayer
+ import tlslite.utils.tlshashlib as hashlib
+ import hmac
+@@ -266,6 +267,26 @@ def test_with_invalid_hash(self):
+         self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
+                                                   content_type, version))
+ 
++    @given(i=st.integers(1, 20))
++    def test_with_invalid_random_hash(self, i):
++        key = compatHMAC(getRandomBytes(20))
++        seqnum_bytes = bytearray(16)
++        content_type = 0x15
++        version = (3, 3)
++        application_data = getRandomBytes(63)
++        mac = hashlib.sha1
++
++        data = self.data_prepare(application_data, seqnum_bytes, content_type,
++                                 version, mac, key)
++        data[-i] ^= 0xff
++        padding = bytearray(b'\x00')
++        data += padding
++
++        h = hmac.new(key, digestmod=mac)
++        h.block_size = mac().block_size
++        self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes,
++                                                  content_type, version))
++
+     def test_with_invalid_pad(self):
+         key = compatHMAC(bytearray(20))
+         seqnum_bytes = bytearray(16)

Reply to:

Prev by Date: Re: RFR: Britney - autopkgtest integration
Next by Date: Processed: libpmix2 contains broken symlinks
Previous by thread: Bug#893523: marked as done (transition: qtbase-opensource-src)
Next by thread: Processed: libpmix2 contains broken symlinks
Index(es):
- Date
- Thread