Bug#1107322: marked as done (unblock: libcrypt-openssl-rsa-perl/0.35-1)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#1107322: marked as done (unblock: libcrypt-openssl-rsa-perl/0.35-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 05 Jun 2025 16:07:02 +0000
Message-id: <[🔎] handler.1107322.D1107322.17491395221764680.ackdone@bugs.debian.org>
Reply-to: 1107322@bugs.debian.org
References: <E1uND5j-007B97-1m@respighi.debian.org> <[🔎] 174913512570.29380.1884966730705649492.reportbug@jadzia.comodo.priv.at>

Your message dated Thu, 05 Jun 2025 16:05:19 +0000
with message-id <E1uND5j-007B97-1m@respighi.debian.org>
and subject line unblock libcrypt-openssl-rsa-perl
has caused the Debian Bug report #1107322,
regarding unblock: libcrypt-openssl-rsa-perl/0.35-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107322
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: libcrypt-openssl-rsa-perl/0.35-1
From: gregor herrmann <gregoa@debian.org>
Date: Thu, 05 Jun 2025 16:52:05 +0200
Message-id: <[🔎] 174913512570.29380.1884966730705649492.reportbug@jadzia.comodo.priv.at>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libcrypt-openssl-rsa-perl@packages.debian.org, carnil@debian.org
Control: affects -1 + src:libcrypt-openssl-rsa-perl
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package libcrypt-openssl-rsa-perl.

libcrypt-openssl-rsa-perl is a key package, otherwise it would 
already have migrated.

0.35-1 fixes a security issue which was considered "minor" by the 
security team for bookworm/bullseye/buster but both them and we would 
like to see the fix in trixie nevertheless:

https://bugs.debian.org/1066969

"CVE-2024-2467: vulnerable to the Marvin Attack"


https://security-tracker.debian.org/tracker/CVE-2024-2467

"A timing-based side-channel flaw exists in the 
perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover 
plaintext across a network in a Bleichenbacher-style attack. To 
achieve successful decryption, an attacker would have to be able to 
send a large number of trial messages. The vulnerability affects the 
legacy PKCS#1v1.5 RSA encryption padding mode."


https://github.com/cpan-authors/Crypt-OpenSSL-RSA/pull/58

"Disable PKCS#1 v1.5 padding"


The package passes all tests and checks and the excuses page is 
happy. It also has been in unstable for 4 weeks without any reported 
issues. Neither have any new issues been reported upstream:
https://github.com/cpan-authors/Crypt-OpenSSL-RSA/issues


The complete debdiff looks a bit long, as there are unfortunately all 
kinds of documentation changes, upstream build and test tweaks, or 
changes for other operating systems involved. (Attached as 
libcrypt-openssl-rsa-perl_0.35-1.diff.gz.)

I went through all commits, and there are actually just two bug fixes 
which seem relevant and both are 2-line code changes: Attached as 
0001-*.patch


Cheers,
gregor



unblock libcrypt-openssl-rsa-perl/0.35-1


-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmhBrxVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZ/2RAApYQZE/vR+13Q46Busbcc+o2/Rmgw15GIUuKSzo4OyoX+1sqbpZTiJ3Ov
p4bF7O2uKYR12YQXZgegJa5ZrbfbK/T/vB8WnZe0dpZTf+C2UXSgXhW7r1o5blfQ
/0TI4OnEbLD1tio5wwSe0JaeS8Tut3hxRa0D+8M4NQx+p4aO49djrntj2rvYCCN7
vN6y15euRYvY/YwUsNR0BQATn3CNiCTBkcXvUnTts+uYibm8BwOehs2R/AY5ueZ8
7uya7VB/pvkgqPA056dPjO1Zk0wWCW/RnHUe1XiiMO59S/L1Ny7UFc5Cne3PttEQ
59iFMpi/FoyNwuWG78hpcyigw5OhKb+cnYtyRYQv5Am82lwKtvKH5LLw09yc7qyv
gEnX0GTVfL/FwgfETam/BJ0M+Ip9455NZXpFz9I8RvAwvijttJWNGrovlJ5TLrxR
zWzrwvf1XzI8uGPsMGVUTbsbMPmVQY714GBCuapvlxyYKG695HJmtuxfNlkRALrf
A3AsJx8OpKFGZUGbDlo/FvkQdNKApVHWzL8jxYR/w03p8O1xqh3RpJegCEifnM6y
Tc6tliqeFH3eQQMrqplihupXSN70+taod3xW+aHHfL3u43eH3CNRz0xXvZpk+qpH
PNU2PmkuclPEGEm9dUb2zSB2uNfVQ+NcjwTgWXEK5mx/XsU2U7c=
=JKy/
-----END PGP SIGNATURE-----

Attachment: libcrypt-openssl-rsa-perl_0.35-1.diff.gz
Description: application/gzip

Attachment: 0001-Pass-NULL-to-EVP_PKEY_CTX_new_from_pkey-not-a-random.patch
Description: application/mbox

Attachment: 0001-Disable-PKCS-1-v1.5-padding.patch
Description: application/mbox

--- End Message ---

--- Begin Message ---

To: 1107322-done@bugs.debian.org

Subject: unblock libcrypt-openssl-rsa-perl

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Thu, 05 Jun 2025 16:05:19 +0000

Message-id: <E1uND5j-007B97-1m@respighi.debian.org>
Unblocked libcrypt-openssl-rsa-perl.
--- End Message ---

Reply to:

References:
- Bug#1107322: unblock: libcrypt-openssl-rsa-perl/0.35-1
  - From: gregor herrmann <gregoa@debian.org>

Prev by Date: Bug#1107323: marked as done (unblock: libfile-find-rule-perl/0.34-4)
Next by Date: Processed: unblock: developers-reference/13.20
Previous by thread: Processed: unblock: libcrypt-openssl-rsa-perl/0.35-1
Next by thread: Bug#1107323: unblock: libfile-find-rule-perl/0.34-4
Index(es):
- Date
- Thread