botan1.10: CVE-2017-2801: Incorrect comparison in X.509 DN strings

Debian Bug report logs - #860072
botan1.10: CVE-2017-2801: Incorrect comparison in X.509 DN strings

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: botan1.10: CVE-2017-2801: Incorrect comparison in X.509 DN strings

Date: Tue, 11 Apr 2017 07:21:14 +0200

Source: botan1.10
Version: 1.10.8-2
Severity: important
Tags: patch security upstream

Hi,

the following vulnerability was published for botan1.10.

CVE-2017-2801[0]:
Incorrect comparison in X.509 DN strings

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-2801
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2801
[1] https://github.com/randombit/botan/commit/c927101675e5f63fc0bdd93c5a4825adc54323b4

Regards,
Salvatore


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Message #10 received at 860072@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 860072@bugs.debian.org

Subject: Re: botan1.10: CVE-2017-2801: Incorrect comparison in X.509 DN strings

Date: Sun, 28 May 2017 13:23:16 +0200

On Tue, Apr 11, 2017 at 07:21:14AM +0200, Salvatore Bonaccorso wrote:
> Source: botan1.10
> Version: 1.10.8-2
> Severity: important
> Tags: patch security upstream
> 
> Hi,
> 
> the following vulnerability was published for botan1.10.
> 
> CVE-2017-2801[0]:
> Incorrect comparison in X.509 DN strings

What's the status? It would be great if this could be fixed before the
stretch release.

Cheers,
        Moritz

Message #17 received at 860072@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860072@bugs.debian.org

Cc: Ondřej Surý <ondrej@sury.org>

Subject: botan1.10: diff for NMU version 1.10.15-1.1

Date: Sun, 28 May 2017 14:27:46 +0200

[Message part 1 (text/plain, inline)]

Control: tags 860072 + pending

Dear maintainer, hi Ondrej

I've prepared an NMU for botan1.10 (versioned as 1.10.15-1.1) and
uploaded it to DELAYED/3. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[botan1.10-1.10.15-1.1-nmu.diff (text/x-diff, attachment)]

Message #24 received at 860072@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 860072@bugs.debian.org

Subject: Re: Bug#860072: botan1.10: diff for NMU version 1.10.15-1.1

Date: Mon, 29 May 2017 13:56:53 +0200

Darn,

time passes so quickly...

I have uploaded 1.10.16 to unstable and will fill unblock bug, given
that the upstream changes from 1.10.15 to 1.10.16 comprises just of this
bugfix:

$ git diff upstream/1.10.15..upstream/1.10.16 
diff --git a/botan_version.py b/botan_version.py
index 9002199..28f4823 100644
--- a/botan_version.py
+++ b/botan_version.py
@@ -1,11 +1,11 @@
 
 release_major = 1
 release_minor = 10
-release_patch = 15
+release_patch = 16
 
 release_so_abi_rev = 1
 
 # These are set by the distribution script
-release_vc_rev = 'git:f79e642ab8c09971968abdfe6990df6801711e1f'
-release_datestamp = 20170112
+release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
+release_datestamp = 20170404
 release_type = 'released'
diff --git a/doc/log.txt b/doc/log.txt
index 9ceaa7d..60b76d0 100644
--- a/doc/log.txt
+++ b/doc/log.txt
@@ -7,6 +7,16 @@ Release Notes
 Series 1.10
 ----------------------------------------
 
+Version 1.10.16, 2017-04-04
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Fix a bug in X509 DN string comparisons that could result in out of
bound
+  reads. This could result in information leakage, denial of service,
or
+  potentially incorrect certificate validation results. (CVE-2017-2801)
+
+* Avoid throwing during a destructor since this is undefined in C++11
+  and rarely a good idea. (GH #930)
+
 Version 1.10.15, 2017-01-12
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/src/alloc/alloc_mmap/mmap_mem.cpp
b/src/alloc/alloc_mmap/mmap_mem.cpp
index 17c189e..85edbc4 100644
--- a/src/alloc/alloc_mmap/mmap_mem.cpp
+++ b/src/alloc/alloc_mmap/mmap_mem.cpp
@@ -73,8 +73,7 @@ void* MemoryMapping_Allocator::alloc_block(size_t n)
             * will continue to exist until the mmap is unmapped from
             * our address space upon deallocation (or process exit).
             */
-            if(fd != -1 && ::close(fd) == -1)
-               throw MemoryMapping_Failed("Could not close file");
+            fd != -1 && ::close(fd);
             }
       private:
          int fd;
diff --git a/src/utils/parsing.cpp b/src/utils/parsing.cpp
index 9ec0004..fc7e963 100644
--- a/src/utils/parsing.cpp
+++ b/src/utils/parsing.cpp
@@ -230,6 +230,8 @@ bool x500_name_cmp(const std::string& name1, const
std::string& name2)
 
          if(p1 == name1.end() && p2 == name2.end())
             return true;
+         if(p1 == name1.end() || p2 == name2.end())
+            return false;
          }
 
       if(!Charset::caseless_cmp(*p1, *p2))

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Sun, May 28, 2017, at 14:27, Salvatore Bonaccorso wrote:
> Control: tags 860072 + pending
> 
> Dear maintainer, hi Ondrej
> 
> I've prepared an NMU for botan1.10 (versioned as 1.10.15-1.1) and
> uploaded it to DELAYED/3. Please feel free to tell me if I
> should delay it longer.
> 
> Regards,
> Salvatore
> Email had 1 attachment:
> + botan1.10-1.10.15-1.1-nmu.diff
>   2k (text/x-diff)

Message #29 received at 860072@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Ondřej Surý <ondrej@sury.org>

Cc: 860072@bugs.debian.org

Subject: Re: Bug#860072: botan1.10: diff for NMU version 1.10.15-1.1

Date: Mon, 29 May 2017 14:01:33 +0200

Hi!

On Mon, May 29, 2017 at 01:56:53PM +0200, Ondřej Surý wrote:
> Darn,
> 
> time passes so quickly...
> 
> I have uploaded 1.10.16 to unstable and will fill unblock bug, given
> that the upstream changes from 1.10.15 to 1.10.16 comprises just of this
> bugfix:

Ack, thank you!

Salvatore

Message #36 received at 860072-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 743967-done@bugs.debian.org,760418-done@bugs.debian.org,799612-done@bugs.debian.org,818231-done@bugs.debian.org,826079-done@bugs.debian.org,834549-done@bugs.debian.org,846114-done@bugs.debian.org,860072-done@bugs.debian.org,888089-done@bugs.debian.org,

Cc: botan1.10@packages.debian.org

Subject: Bug#889675: Removed package(s) from unstable

Date: Thu, 07 Feb 2019 03:17:43 +0000

Version: 1.10.17-0.1+rm

Dear submitter,

as the package botan1.10 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/889675

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.