[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1065263: marked as done (bookworm-pu: package php-phpseclib/2.0.42-1+deb12u2)

Your message dated Sat, 29 Jun 2024 10:46:16 +0000
with message-id <E1sNVay-002bad-Pu@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1065263,
regarding bookworm-pu: package php-phpseclib/2.0.42-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1065263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065263
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: php-phpseclib@packages.debian.org, team@security.debian.org
Control: affects -1 + src:php-phpseclib
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit

diff -Nru php-phpseclib-2.0.42/debian/changelog php-phpseclib-2.0.42/debian/changelog
--- php-phpseclib-2.0.42/debian/changelog	2023-12-31 11:49:50.000000000 +0100
+++ php-phpseclib-2.0.42/debian/changelog	2024-02-26 23:23:19.000000000 +0100
@@ -1,3 +1,15 @@
+php-phpseclib (2.0.42-1+deb12u2) bookworm; urgency=medium
+
+  * Backport upstream fixes
+    - BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+    - BigInteger: rm visibility modifiers from static variables
+    - ASN1: limit OID length [CVE-2024-27355]
+    - Tests: updates for phpseclib 2.0
+    - BigInteger: phpseclib 2.0 updates
+    - BigInteger: fix getLength()
+
+ -- David Prévot <taffit@debian.org>  Mon, 26 Feb 2024 23:23:19 +0100
+
 php-phpseclib (2.0.42-1+deb12u1) bookworm-security; urgency=medium
 
   * Track bookworm
diff -Nru php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib-2.0.42/debian/patches/0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-26 23:23:19.000000000 +0100
@@ -0,0 +1,76 @@
+From: terrafrost <terrafrost@gmail.com>
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 81b69ac..fd9cd57 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -729,6 +729,33 @@ class BigInteger
+         return $result;
+     }
+ 
++    /**
++     * Return the size of a BigInteger in bits
++     *
++     * @return int
++     */
++    function getLength()
++    {
++        if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++            return strlen($this->toBits());
++        }
++
++        $max = count($this->value) - 1;
++        return $max != -1 ?
++            $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++            0;
++    }
++
++    /**
++     * Return the size of a BigInteger in bytes
++     *
++     * @return int
++     */
++    function getLengthInBytes()
++    {
++        return ceil($this->getLength() / 8);
++    }
++
+     /**
+      * Copy an object
+      *
+@@ -3237,6 +3264,11 @@ class BigInteger
+             $min = $temp;
+         }
+ 
++        $length = $max->getLength();
++        if ($length > 8196) {
++            user_error('Generation of random prime numbers larger than 8196 has been disabled');
++        }
++
+         static $one, $two;
+         if (!isset($one)) {
+             $one = new static(1);
+@@ -3344,7 +3376,14 @@ class BigInteger
+      */
+     function isPrime($t = false)
+     {
+-        $length = strlen($this->toBytes());
++        $length = $this->getLength();
++        // OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++        // produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++        // a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++        // that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++        if ($length > 8196) {
++            user_error('Primality testing is not supported for numbers larger than 8196 bits');
++        }
+ 
+         if (!$t) {
+             // see HAC 4.49 "Note (controlling the error probability)"
diff -Nru php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch
--- php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib-2.0.42/debian/patches/0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch	2024-02-26 23:23:19.000000000 +0100
@@ -0,0 +1,48 @@
+From: terrafrost <terrafrost@gmail.com>
+Date: Fri, 23 Feb 2024 21:55:47 -0600
+Subject: BigInteger: rm visibility modifiers from static variables
+
+the non static variables don't have privacy modifiers so idk that
+the static ones ought to either. phpseclib 3.0 uses privacy
+modifiers but not the 2.0 branch
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/2124f399b430f67c3e51211a6e5db6dee8f2cec4
+---
+ phpseclib/Math/BigInteger.php | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index fd9cd57..be07d58 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -163,23 +163,23 @@ class BigInteger
+      *
+      * @see __construct()
+      */
+-    protected static $base;
+-    protected static $baseFull;
+-    protected static $maxDigit;
+-    protected static $msb;
++    static $base;
++    static $baseFull;
++    static $maxDigit;
++    static $msb;
+ 
+     /**
+      * $max10 in greatest $max10Len satisfying
+      * $max10 = 10**$max10Len <= 2**$base.
+      */
+-    protected static $max10;
++    static $max10;
+ 
+     /**
+      * $max10Len in greatest $max10Len satisfying
+      * $max10 = 10**$max10Len <= 2**$base.
+      */
+-    protected static $max10Len;
+-    protected static $maxDigit2;
++    static $max10Len;
++    static $maxDigit2;
+     /**#@-*/
+ 
+     /**
Les fichiers binaires /tmp/8iiFsWVWe6/php-phpseclib-2.0.42/debian/patches/0012-ASN1-limit-OID-length.patch et /tmp/SZVh_IU5jt/php-phpseclib-2.0.42/debian/patches/0012-ASN1-limit-OID-length.patch sont différents
diff -Nru php-phpseclib-2.0.42/debian/patches/0013-Tests-updates-for-phpseclib-2.0.patch php-phpseclib-2.0.42/debian/patches/0013-Tests-updates-for-phpseclib-2.0.patch
--- php-phpseclib-2.0.42/debian/patches/0013-Tests-updates-for-phpseclib-2.0.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib-2.0.42/debian/patches/0013-Tests-updates-for-phpseclib-2.0.patch	2024-02-26 23:23:19.000000000 +0100
@@ -0,0 +1,22 @@
+From: terrafrost <terrafrost@gmail.com>
+Date: Sat, 24 Feb 2024 13:26:33 -0600
+Subject: Tests: updates for phpseclib 2.0
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/0777e700b966b68287081cdb83e89834b846f84a
+---
+ tests/Unit/File/ASN1Test.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/Unit/File/ASN1Test.php b/tests/Unit/File/ASN1Test.php
+index 486809a..0d255a1 100644
+--- a/tests/Unit/File/ASN1Test.php
++++ b/tests/Unit/File/ASN1Test.php
+@@ -453,7 +453,7 @@ class Unit_File_ASN1Test extends PhpseclibTestCase
+     {
+         $cert = file_get_contents(dirname(__FILE__) . '/ASN1/mal-cert-02.der');
+ 
+-        $asn1 = new File_ASN1();
++        $asn1 = new ASN1();
+         //$this->setExpectedException('PHPUnit_Framework_Error_Notice');
+         $decoded = $asn1->decodeBER($cert);
+         $this->assertFalse($decoded[0]);
diff -Nru php-phpseclib-2.0.42/debian/patches/0014-BigInteger-phpseclib-2.0-updates.patch php-phpseclib-2.0.42/debian/patches/0014-BigInteger-phpseclib-2.0-updates.patch
--- php-phpseclib-2.0.42/debian/patches/0014-BigInteger-phpseclib-2.0-updates.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib-2.0.42/debian/patches/0014-BigInteger-phpseclib-2.0-updates.patch	2024-02-26 23:23:19.000000000 +0100
@@ -0,0 +1,29 @@
+From: terrafrost <terrafrost@gmail.com>
+Date: Sat, 24 Feb 2024 13:29:02 -0600
+Subject: BigInteger: phpseclib 2.0 updates
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/2870c8fab3f132d2ed40a66c97a36fe5ab625698
+---
+ phpseclib/Math/BigInteger.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index be07d58..bb92c6e 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -736,13 +736,13 @@ class BigInteger
+      */
+     function getLength()
+     {
+-        if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++        if (MATH_BIGINTEGER_MODE != self::MODE_INTERNAL) {
+             return strlen($this->toBits());
+         }
+ 
+         $max = count($this->value) - 1;
+         return $max != -1 ?
+-            $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++            $max * self::$base + ceil(log($a->value[$max] + 1, 2)) :
+             0;
+     }
+ 
diff -Nru php-phpseclib-2.0.42/debian/patches/0015-BigInteger-fix-getLength.patch php-phpseclib-2.0.42/debian/patches/0015-BigInteger-fix-getLength.patch
--- php-phpseclib-2.0.42/debian/patches/0015-BigInteger-fix-getLength.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib-2.0.42/debian/patches/0015-BigInteger-fix-getLength.patch	2024-02-26 23:23:19.000000000 +0100
@@ -0,0 +1,31 @@
+From: terrafrost <terrafrost@gmail.com>
+Date: Sat, 24 Feb 2024 14:15:49 -0600
+Subject: BigInteger: fix getLength()
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/c55b75199ec8d12cec6eadf6da99da4a3712fe56
+---
+ phpseclib/Math/BigInteger.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index bb92c6e..7747a95 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -742,7 +742,7 @@ class BigInteger
+ 
+         $max = count($this->value) - 1;
+         return $max != -1 ?
+-            $max * self::$base + ceil(log($a->value[$max] + 1, 2)) :
++            $max * self::$base + intval(ceil(log($this->value[$max] + 1, 2))) :
+             0;
+     }
+ 
+@@ -753,7 +753,7 @@ class BigInteger
+      */
+     function getLengthInBytes()
+     {
+-        return ceil($this->getLength() / 8);
++        return (int) ceil($this->getLength() / 8);
+     }
+ 
+     /**
diff -Nru php-phpseclib-2.0.42/debian/patches/series php-phpseclib-2.0.42/debian/patches/series
--- php-phpseclib-2.0.42/debian/patches/series	2023-12-31 11:49:50.000000000 +0100
+++ php-phpseclib-2.0.42/debian/patches/series	2024-02-26 23:23:19.000000000 +0100
@@ -7,3 +7,9 @@
 0007-Skip-test-failing-on-s390x-architecture.patch
 0008-SSH2-add-support-for-RFC8308.patch
 0009-SSH2-implement-terrapin-attack-countermeasures.patch
+0010-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
+0011-BigInteger-rm-visibility-modifiers-from-static-varia.patch
+0012-ASN1-limit-OID-length.patch
+0013-Tests-updates-for-phpseclib-2.0.patch
+0014-BigInteger-phpseclib-2.0-updates.patch
+0015-BigInteger-fix-getLength.patch
diff -Nru php-phpseclib-2.0.42/debian/source/include-binaries php-phpseclib-2.0.42/debian/source/include-binaries
--- php-phpseclib-2.0.42/debian/source/include-binaries	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib-2.0.42/debian/source/include-binaries	2024-02-26 23:23:19.000000000 +0100
@@ -0,0 +1 @@
+debian/patches/0012-ASN1-limit-OID-length.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.6

The upload requested in this bug has been released as part of 12.6.

--- End Message ---
Reply to: