[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1107322: unblock: libcrypt-openssl-rsa-perl/0.35-1

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libcrypt-openssl-rsa-perl@packages.debian.org, carnil@debian.org
Control: affects -1 + src:libcrypt-openssl-rsa-perl
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package libcrypt-openssl-rsa-perl.

libcrypt-openssl-rsa-perl is a key package, otherwise it would 
already have migrated.

0.35-1 fixes a security issue which was considered "minor" by the 
security team for bookworm/bullseye/buster but both them and we would 
like to see the fix in trixie nevertheless:

https://bugs.debian.org/1066969

"CVE-2024-2467: vulnerable to the Marvin Attack"


https://security-tracker.debian.org/tracker/CVE-2024-2467

"A timing-based side-channel flaw exists in the 
perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover 
plaintext across a network in a Bleichenbacher-style attack. To 
achieve successful decryption, an attacker would have to be able to 
send a large number of trial messages. The vulnerability affects the 
legacy PKCS#1v1.5 RSA encryption padding mode."


https://github.com/cpan-authors/Crypt-OpenSSL-RSA/pull/58

"Disable PKCS#1 v1.5 padding"


The package passes all tests and checks and the excuses page is 
happy. It also has been in unstable for 4 weeks without any reported 
issues. Neither have any new issues been reported upstream:
https://github.com/cpan-authors/Crypt-OpenSSL-RSA/issues


The complete debdiff looks a bit long, as there are unfortunately all 
kinds of documentation changes, upstream build and test tweaks, or 
changes for other operating systems involved. (Attached as 
libcrypt-openssl-rsa-perl_0.35-1.diff.gz.)

I went through all commits, and there are actually just two bug fixes 
which seem relevant and both are 2-line code changes: Attached as 
0001-*.patch


Cheers,
gregor



unblock libcrypt-openssl-rsa-perl/0.35-1


-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmhBrxVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZ/2RAApYQZE/vR+13Q46Busbcc+o2/Rmgw15GIUuKSzo4OyoX+1sqbpZTiJ3Ov
p4bF7O2uKYR12YQXZgegJa5ZrbfbK/T/vB8WnZe0dpZTf+C2UXSgXhW7r1o5blfQ
/0TI4OnEbLD1tio5wwSe0JaeS8Tut3hxRa0D+8M4NQx+p4aO49djrntj2rvYCCN7
vN6y15euRYvY/YwUsNR0BQATn3CNiCTBkcXvUnTts+uYibm8BwOehs2R/AY5ueZ8
7uya7VB/pvkgqPA056dPjO1Zk0wWCW/RnHUe1XiiMO59S/L1Ny7UFc5Cne3PttEQ
59iFMpi/FoyNwuWG78hpcyigw5OhKb+cnYtyRYQv5Am82lwKtvKH5LLw09yc7qyv
gEnX0GTVfL/FwgfETam/BJ0M+Ip9455NZXpFz9I8RvAwvijttJWNGrovlJ5TLrxR
zWzrwvf1XzI8uGPsMGVUTbsbMPmVQY714GBCuapvlxyYKG695HJmtuxfNlkRALrf
A3AsJx8OpKFGZUGbDlo/FvkQdNKApVHWzL8jxYR/w03p8O1xqh3RpJegCEifnM6y
Tc6tliqeFH3eQQMrqplihupXSN70+taod3xW+aHHfL3u43eH3CNRz0xXvZpk+qpH
PNU2PmkuclPEGEm9dUb2zSB2uNfVQ+NcjwTgWXEK5mx/XsU2U7c=
=JKy/
-----END PGP SIGNATURE-----

Attachment: libcrypt-openssl-rsa-perl_0.35-1.diff.gz
Description: application/gzip

Attachment: 0001-Pass-NULL-to-EVP_PKEY_CTX_new_from_pkey-not-a-random.patch
Description: application/mbox

Attachment: 0001-Disable-PKCS-1-v1.5-padding.patch
Description: application/mbox

Reply to: