Bug#1057038: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1057038: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1
From: David Prévot <taffit@debian.org>
Date: Tue, 28 Nov 2023 14:08:36 +0100
Message-id: <[🔎] ZWXmVH0Lt3DF-7u_@persil.tilapin.org>
Reply-to: David Prévot <taffit@debian.org>, 1057038@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: php-phpseclib3@packages.debian.org, team@security.debian.org
Control: affects -1 + src:php-phpseclib3

Hi,

Please allow to fix CVE-2023-49316 (#1057008) in the next point release.
I assume from the bug report wording that it isn’t worth a DSA (security
team X-Debbugs-Cced in case I misunderstood).

The changelog refers to a trivial change (gbp.conf and control) for the
build process, and the three line upstream patch (+comments +test) to
fix the issue.

  * Track bookworm
  * Math/BinaryField: fix for excessively large degrees [CVE-2023-49316]
    (Closes: #1057008)

It passes its (updated) testsuite, but I didn’t have time to test this
update thoroughly.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Thanks in advance for your consideration.

Regards,

taffit

diff -Nru php-phpseclib3-3.0.19/debian/changelog php-phpseclib3-3.0.19/debian/changelog
--- php-phpseclib3-3.0.19/debian/changelog	2023-03-06 08:00:12.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/changelog	2023-11-28 08:33:28.000000000 +0100
@@ -1,3 +1,11 @@
+php-phpseclib3 (3.0.19-1+deb12u1) bookworm; urgency=medium
+
+  * Track bookworm
+  * Math/BinaryField: fix for excessively large degrees [CVE-2023-49316]
+    (Closes: #1057008)
+
+ -- David Prévot <taffit@debian.org>  Tue, 28 Nov 2023 08:33:28 +0100
+
 php-phpseclib3 (3.0.19-1) unstable; urgency=medium
 
   [ Alexander Vlasov ]
diff -Nru php-phpseclib3-3.0.19/debian/control php-phpseclib3-3.0.19/debian/control
--- php-phpseclib3-3.0.19/debian/control	2023-03-06 08:00:12.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/control	2023-11-28 08:32:24.000000000 +0100
@@ -13,7 +13,7 @@
                pkg-php-tools (>= 1.41~)
 Standards-Version: 4.6.2
 Homepage: https://phpseclib.sourceforge.net/
-Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/bookworm
 Vcs-Browser: https://salsa.debian.org/php-team/pear/phpseclib
 Rules-Requires-Root: no
 
diff -Nru php-phpseclib3-3.0.19/debian/gbp.conf php-phpseclib3-3.0.19/debian/gbp.conf
--- php-phpseclib3-3.0.19/debian/gbp.conf	2023-03-06 07:51:57.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/gbp.conf	2023-11-28 08:32:24.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bookworm
 pristine-tar = True
 filter = [ '.gitattributes' ]
 upstream-vcs-tag = %(version%~%-)s
diff -Nru php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch
--- php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0007-Math-BinaryField-fix-for-excessively-large-degrees.patch	2023-11-28 08:32:28.000000000 +0100
@@ -0,0 +1,56 @@
+From: terrafrost <terrafrost@php.net>
+Date: Tue, 21 Nov 2023 19:10:46 -0600
+Subject: Math/BinaryField: fix for excessively large degrees
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f
+Bug-Debian: https://bugs.debian.org/1057008
+---
+ phpseclib/Math/BinaryField.php  |  9 +++++++++
+ tests/Unit/Crypt/EC/KeyTest.php | 16 ++++++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/phpseclib/Math/BinaryField.php b/phpseclib/Math/BinaryField.php
+index 3e21a67..5da8c93 100644
+--- a/phpseclib/Math/BinaryField.php
++++ b/phpseclib/Math/BinaryField.php
+@@ -48,6 +48,15 @@ class BinaryField extends FiniteField
+     public function __construct(...$indices)
+     {
+         $m = array_shift($indices);
++        if ($m > 571) {
++            /* sect571r1 and sect571k1 are the largest binary curves that https://www.secg.org/sec2-v2.pdf defines
++               altho theoretically there may be legit reasons to use binary finite fields with larger degrees
++               imposing a limit on the maximum size is both reasonable and precedented. in particular,
++               http://tools.ietf.org/html/rfc4253#section-6.1 (The Secure Shell (SSH) Transport Layer Protocol) says
++               "implementations SHOULD check that the packet length is reasonable in order for the implementation to
++                avoid denial of service and/or buffer overflow attacks" */
++            throw new \OutOfBoundsException('Degrees larger than 571 are not supported');
++        }
+         $val = str_repeat('0', $m) . '1';
+         foreach ($indices as $index) {
+             $val[$index] = '1';
+diff --git a/tests/Unit/Crypt/EC/KeyTest.php b/tests/Unit/Crypt/EC/KeyTest.php
+index f0069a3..f423845 100644
+--- a/tests/Unit/Crypt/EC/KeyTest.php
++++ b/tests/Unit/Crypt/EC/KeyTest.php
+@@ -690,4 +690,20 @@ cN6W+k8UvGf+Y/lDWNbFitQocabsDUvSN0edHH3UKP5QPTz4cOlyIPMrXQ==
+         $key = PublicKeyLoader::load($key);
+         $this->assertInstanceOf(PublicKey::class, $key);
+     }
++
++    public function testExcessivelyLargeBinaryField()
++    {
++        $this->expectException('\OutOfBoundsException');
++
++        $key = '-----BEGIN PUBLIC KEY-----
++MIIBDDCB0wYHKoZIzj0CATCBxwIBATAgBgcqhkjOPQECMBUCBH////8GCSqGSM49
++AQIDAgICAMEwTQQZABeFj+t6mJdRaeFx93tAh94JisipEd97AQQZAP37Sb/mw6if
++rK2qeh5bvHzBwuXYMUeIFAMVABA/rsdNaW5naHVhUXV3f8Wxke8wBDMEAfSBvF8P
+++Ep0rWzfb970v2F5YlNy2MDF4QAl45nykDcSzPPqnjoa0X+wsyAbavfOGwUCGQEA
++AAAAAAAAAAAAAADH80p3j0Q6zJIOukkCAQIDNAAEAE2mUTAwdPK952h3G8ZinK8B
++z9DYTLdGkQDqox3AtEs9nn6kE1O/vHE4bqMegjj4gbA=
++-----END PUBLIC KEY-----';
++        $key = EC::loadFormat('PKCS8', $key);
++        $this->assertInstanceOf(PublicKey::class, $key);
++    }
+ }
diff -Nru php-phpseclib3-3.0.19/debian/patches/series php-phpseclib3-3.0.19/debian/patches/series
--- php-phpseclib3-3.0.19/debian/patches/series	2023-03-06 08:00:12.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/patches/series	2023-11-28 08:32:28.000000000 +0100
@@ -4,3 +4,4 @@
 0004-Skip-test-failing-on-32-bit-architectures.patch
 0005-Skip-test-failing-on-s390x-architecture.patch
 0006-Drop-PHPUnit-10-Updates.patch
+0007-Math-BinaryField-fix-for-excessively-large-degrees.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1054657: Transition issue for r-cran-rstanarm (Was: Bug#1055922: rmatrix: ABI change in Matrix 1.6-2)
Next by Date: Processed: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1
Previous by thread: Bug#1056987: bullseye-pu: package ca-certificates-java/20230710~deb12u1
Next by thread: Processed: bookworm-pu: package php-phpseclib3/3.0.19-1+deb12u1
Index(es):
- Date
- Thread