parcimonie: CVE-2014-1921: possible correlation between key fetches

Debian Bug report logs - #738134
parcimonie: CVE-2014-1921: possible correlation between key fetches

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: submit@bugs.debian.org

Subject: doesn't sleep a random amont of time

Date: Sat, 8 Feb 2014 00:22:22 +0100

[Message part 1 (text/plain, inline)]

package: parcimonie 

Hi intri,

I've been running parcimonie --verbose and in each loop it's telling me: 

Using 104.425551854823 seconds as average sleep time.
[...]
Will now sleep 600 seconds.

I havent actually measured the times myself, but it seems, it always 
sleeping exactly 10min?!? That probably matches the design, but not the user 
expectations... :-)

I also think this bug should be severity "imporant" as it breaks one of the 
two main features of parcemonie (random sleep & change of tor circuit between 
each key update).  But then I don't know how many users are affected by this 
bug, I do have *lots* of keys in my keyring.


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #18 received at 738134@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: Holger Levsen <holger@layer-acht.org>

Cc: 738134@bugs.debian.org

Subject: Re: Bug#738134: doesn't sleep a random amont of time

Date: Sat, 08 Feb 2014 17:41:38 +0100

Control: severity -1 important

Hi,

Holger Levsen wrote (07 Feb 2014 23:22:22 GMT) :
> I've been running parcimonie --verbose and in each loop it's telling me: 

> Using 104.425551854823 seconds as average sleep time.
> [...]
> Will now sleep 600 seconds.

> I havent actually measured the times myself, but it seems, it always 
> sleeping exactly 10min?!? That probably matches the design, but not the user 
> expectations... :-)

Right. I've prepared a fix upstream, and sent you a backport thereof
applied on top of the Wheezy package for you to test. If this works
for you, then I'll do an upstream release, upload to sid and follow
the security update process to fix this in Wheezy too.

> I also think this bug should be severity "imporant" as it breaks one of the 
> two main features of parcemonie (random sleep & change of tor circuit between 
> each key update).

Agreed, setting severity to "important".

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Message #29 received at 738134@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 738134@bugs.debian.org

Subject: Re: Bug#738134: doesn't sleep a random amont of time

Date: Sat, 8 Feb 2014 18:13:56 +0100

[Message part 1 (text/plain, inline)]

control: tags -1 + pending security

Hi,

On Samstag, 8. Februar 2014, intrigeri wrote:
> Right. I've prepared a fix upstream, and sent you a backport thereof
> applied on top of the Wheezy package for you to test. If this works
> for you, then I'll do an upstream release, upload to sid and follow
> the security update process to fix this in Wheezy too.

yup. works for me, at least the first two fetches used different sleeping 
times.

Minor issue: why output the average sleep time at all, when the fallback time 
will always be used?

Thanks for the fast bugfix!


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 738134-close@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: 738134-close@bugs.debian.org

Subject: Bug#738134: fixed in parcimonie 0.8.1-1

Date: Sun, 09 Feb 2014 19:48:41 +0000

Source: parcimonie
Source-Version: 0.8.1-1

We believe that the bug you reported is fixed in the latest version of
parcimonie, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 738134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
intrigeri <intrigeri@debian.org> (supplier of updated parcimonie package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Feb 2014 19:48:30 +0100
Source: parcimonie
Binary: parcimonie
Architecture: source all
Version: 0.8.1-1
Distribution: unstable
Urgency: medium
Maintainer: intrigeri <intrigeri@debian.org>
Changed-By: intrigeri <intrigeri@debian.org>
Description: 
 parcimonie - privacy-friendly helper to refresh a GnuPG keyring
Closes: 738004 738134
Changes: 
 parcimonie (0.8.1-1) unstable; urgency=medium
 .
   * New upstream release. Most notable changes:
     - Sleep a random amount of time if the computed random sleep time
       is too short (Closes: #738134). Many thanks to Holger Levsen
       <holger@layer-acht.org> for reporting this bug and a few others.
     - Clarify lapse time with large number of keys (Closes: #738004).
     - Various code, documentation and dependencies cleanups.
     - Migrate away from Path::Class to the lighter Path::Tiny.
   * Include gpg and OpenPGP in the package description, to ease finding
     the package with common search terms.
   * Update dependencies wrt. new upstream release:
     - Drop dependencies on libfile-sharedir-perl, libfile-spec-perl
       and libpath-class-perl.
     - Add dependency on libpath-tiny-perl.
   * Clean up build and runtime dependencies:
     - Don't version dependencies that are satisfied in Squeeze.
     - Drop build-dependency on libmodule-build-perl: it's shipped
       by perl itself.
     - Drop dependency on perl: it's taken care of by ${perl:Depends}.
     - Don't version dependencies when no older version was ever uploaded
       to Debian.
     - Simplify versioned build-dependency on debhelper: ">= 9" is enough.
Checksums-Sha1: 
 2695c209b02b3346454dde7e084b74c36a6cb1df 2382 parcimonie_0.8.1-1.dsc
 33c5b8c13055a2d1736cdd61c28f3b87966548bb 69342 parcimonie_0.8.1.orig.tar.gz
 966bdc06165b0efee094e5feda34e5a2e618a931 5248 parcimonie_0.8.1-1.debian.tar.xz
 e611ff22eaf1566fa6b51826623248bcb5dbc951 52702 parcimonie_0.8.1-1_all.deb
Checksums-Sha256: 
 49236175ef7148dd9385348c4671bb88fc17a7f21035d04c969d87ea31b527f6 2382 parcimonie_0.8.1-1.dsc
 8daea01a9aaf9456ab879c594d41d0e57ab8a0d8322460e2e4fe7630c9edb84a 69342 parcimonie_0.8.1.orig.tar.gz
 ec8a9ca00a075afec1c59b162faba58830f82ecce8a37ed102f43feda3326325 5248 parcimonie_0.8.1-1.debian.tar.xz
 e434f2bdf7e71f8f12f7300c12fff25b37c09f442d05c1c88865cce700483e1c 52702 parcimonie_0.8.1-1_all.deb
Files: 
 4cd42dd6d45fdbe2ec186859ace5f309 2382 perl optional parcimonie_0.8.1-1.dsc
 990609e7e6c5e95769fe47a22d7c9dd1 69342 perl optional parcimonie_0.8.1.orig.tar.gz
 f867cb32c1290b33cf9e4455a23d20af 5248 perl optional parcimonie_0.8.1-1.debian.tar.xz
 6888301842d84059201538887ea06226 52702 perl optional parcimonie_0.8.1-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS99cDAAoJELrOFdKldJj/5XEQAI963hJnfl1ogTMKgPYkw4j/
IIrcAKZUDufPMoyYkrLmUJXJEwMvPzqIG/d5kP+hHjtOGUkECXq/Z329kZY0zMgP
2aBJH1c2u2okHIeGV0jO1Sy1vlM8vqSy1j1azd3N7QlfXvmgHHOdw+7cpZXnhW4y
km91EGoEAJ+YJk+Mns6X1kU8L8q2HUPNn5yuvRJg60TKTolyCtLE4X3QOFx0bXFr
BgMiJs/6IaINqH78OTk8x5q5ZtOyL9jeUjn7CCoNRIqhDe/f5roPehVAuTpxIska
Yzi6qpyelvKazIYFE73c5NEYJLhRaIozjmBmXI+/b35ACrk1zuHzqg6iPzPG1KGu
V5my42lNKIR2qhg5AKjotvincGuQGXnceFZFtgTWll/3KVO49xlPhqKLrYCsROnn
Q+B3rI0g5+pUbmE1AF+NeJVSlBo5A9augjrtJltSCB+tLLCXamU3trXlp14Ogs6T
fcCdN4NMmYEIn8N4Qyhd9Sp/eqRCqgbC1+e56rA7KDWUL/oikcTF0E5ttawUhZ47
QOkT7JiaOIDq4NEm9GPJzBzm+cGZiid/RuEl2YmOfTPUXSU7gTIYix0EvdXMhOSw
dNuD3GRl3L7qFJSet8tkOowFahedw143h+RBC7H1Wm/5Lc/F1sKvVluLgLJpw+us
di+gu2umI3DNwBI9jXtW
=fxHs
-----END PGP SIGNATURE-----

Message #43 received at 738134-close@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: 738134-close@bugs.debian.org

Subject: Bug#738134: fixed in parcimonie 0.7.1-1+deb7u1

Date: Mon, 17 Feb 2014 22:02:04 +0000

Source: parcimonie
Source-Version: 0.7.1-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
parcimonie, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 738134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
intrigeri <intrigeri@debian.org> (supplier of updated parcimonie package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Feb 2014 01:04:20 CET
Source: parcimonie
Binary: parcimonie
Architecture: source all
Version: 0.7.1-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: intrigeri <intrigeri@debian.org>
Changed-By: intrigeri <intrigeri@debian.org>
Description: 
 parcimonie - privacy-friendly helper to refresh a GnuPG keyring
Closes: 738004 738134
Changes: 
 parcimonie (0.7.1-1+deb7u1) wheezy-security; urgency=high
 .
   * Cherry-pick two upstream patches:
     - Sleep a random amount of time if the computed random sleep time
       is too low (CVE-2014-1921, Closes: #738134).
     - Clarify lapse time with large number of keys (Closes: #738004).
     Thanks Holger Levsen <holger@layer-acht.org> for the bug reports!
Checksums-Sha256: 
 591f775cd0bb743607237c9d986f719cd4438dcf24e1021a8fa6e340326f1781 2752 parcimonie_0.7.1-1+deb7u1.dsc
 c86f9ebf17248ee3415eccef89a898c13930e63929a4b9dc1ce3f35b54004ee2 6321 parcimonie_0.7.1-1+deb7u1.debian.tar.gz
 83c2f9c3f27120f141e15075730e4274dc4378a2f093e61a0349dc5c007aa2fe 41906 parcimonie_0.7.1-1+deb7u1_all.deb
 1672056cfaa8d20f6baa2787e6fe300349758648303d5ab8ca6c53369332c0e1 54775 parcimonie_0.7.1.orig.tar.gz
Checksums-Sha1: 
 c3029aabad61de0d678c37b93b1273c3732b479c 2752 parcimonie_0.7.1-1+deb7u1.dsc
 6530df822664e54591f5ed4c757aa41da22f9d1f 6321 parcimonie_0.7.1-1+deb7u1.debian.tar.gz
 9259ed5c571c8129717208da4848e68257c39a9c 41906 parcimonie_0.7.1-1+deb7u1_all.deb
 e9b10f41561fa936d2ac73ebbcde1df5a50e4239 54775 parcimonie_0.7.1.orig.tar.gz
Files: 
 951946c4b9d8c53edca40ecb2f293da2 2752 perl optional parcimonie_0.7.1-1+deb7u1.dsc
 f1fee27a82bc0296c0ca1edaf174cc51 6321 perl optional parcimonie_0.7.1-1+deb7u1.debian.tar.gz
 19622fb9be62b1a5f012a89c2cc38b03 41906 perl optional parcimonie_0.7.1-1+deb7u1_all.deb
 1dc6b119440c6bebc31205cf54820634 54775 perl optional parcimonie_0.7.1.orig.tar.gz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS+WmdAAoJELrOFdKldJj/kD0QAMx8Y4c+ObV2iIjd57C5F+QB
fpmpExvA78cHmA5ZIHJyeJnHMplMp79G7jRJm0ugZcYfOcUAatSHeX7s8UMMAgHg
3NJlGNsVhVvQzK3A5Fkn/dDjyplJQsLIi7JEnFoBqB6hT+z4jYFBvZ3c43uIDost
Kn/eV7WYfFTmiRJ/Wfy0Zk7lb5o3Sd5hdUBFuKl4LRanmNM3OmyGW0EKJI4bnjIk
2vmBR7Jg2vkxfzKVVFAUR2PJ9XyKlF63h6iaDrCaWIFMijBqgeh4CLL0chvRt3MN
jTRUS2FCBAXvJ/EROf5yHloa4ZZlF4vLKT9bIQRVl8hhwbir8PzX1f/+JpLboQRu
gWurEzG2qdK/udd6nt2ebn9ENSJjRu/2aDGZ/YsHmQwesmUV17gVW9nWqNmYhHsp
tePvTP2dWTYEPKWRKDESxR6MvWVqg/PalY4GmIWBcRCFDgVytli/hGlr6Rh0zN9n
fPrhI24lbBjdfX3YIVYu4/JqO4u2hWnCfxPzIYTVEby8otJ01CRG9KPLIWzHSkVa
GXFg/wwdrOpB4w2o4paI8YyQ6Feslts2krwZBuApdaIOb8O4z8KxlI7AeGpMVqn8
loxYrbOfuQ2U+J39Zcs5inzlAg+A3mXcC2m/nolIbMvJ9WqHjA3iU6DfxMyA6OLP
KkJxKK+6vPTDPaDI9OpX
=Hytj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.