opencryptoki: CVE-2012-4454 CVE-2012-4455

Debian Bug report logs - #689417
opencryptoki: CVE-2012-4454 CVE-2012-4455

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: opencryptoki: CVE-2012-4454 CVE-2012-4455

Date: Tue, 02 Oct 2012 14:37:03 +0200

Package: opencryptoki
Severity: grave
Tags: security
Justification: user security hole

Please see the thread starting at http://www.openwall.com/lists/oss-security/2012/09/07/2
for details.

Cheers,
        Moritz

Message #10 received at 689417@bugs.debian.org (full text, mbox, reply):

From: Arthur de Jong <adejong@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 689417@bugs.debian.org

Subject: Re: Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455

Date: Sun, 21 Oct 2012 22:57:38 +0200

[Message part 1 (text/plain, inline)]

On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote:
> Please see the thread starting at
> http://www.openwall.com/lists/oss-security/2012/09/07/2
> for details.

I've had a quick look at this bug to see if it can be fixed in Debian.
There are four patches referenced in the thread (I haven't verified if
there are more patches required):

- http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
  32 files changed, 182 insertions(+), 1166 deletions(-)
  This change is huge and mainly seems to be quivalent to setting
  SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few
  other changes in there which may be due to the removal of the
  compatibility code.
  This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed
  to manually fix it (attached is a version if anyone is interested).
- http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
  31 files changed, 2975 insertions(+), 280 deletions(-)
  Lots of changes in the tests but it also seems to contain some
  cleanups related to the previous change, a change from lock_shm() to
  XProcLock(), some moving of locks to /var/lock and a few other
  changes.
- http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
  23 files changed, 449 insertions(+), 99 deletions(-)
  Includes a FAQ typo fix and the introduction of a lot of new code.
- http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
  1 files changed, 3 insertions(+), 3 deletions(-)
  Very small change in the Makfile which creates the lock directory.
  Should not be relevant for Debian because subdirectories of /var/lock
  should be created on the fly.

The changes are huge and can probably not be easily backported to
Debian's 2.3.1. A few other options come to mind:
- see if upstream can provide patches for 2.3.1
- see if the necessary fixes can be made some other way
- upgrade to upstream 2.4.2
- remove from wheezy
(the only reverse dependency for opencryptoki seems to be tpm-tools)

Anyway, I don't think I can do much more for this bug because I'm afraid
it will take a little more time than I have available at the moment. I
was having a look and I though I would just add my notes to the bug log.

Good luck with this bug! ;)

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

[opencryptoki-2.3.1-remove-extra-lockschemes.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 689417@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 689417@bugs.debian.org, pollux@debian.org

Subject: Re: Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455

Date: Tue, 30 Oct 2012 18:21:07 +0100

On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote:
> On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote:
> > Please see the thread starting at
> > http://www.openwall.com/lists/oss-security/2012/09/07/2
> > for details.
> 
> I've had a quick look at this bug to see if it can be fixed in Debian.
> There are four patches referenced in the thread (I haven't verified if
> there are more patches required):
> 
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
>   32 files changed, 182 insertions(+), 1166 deletions(-)
>   This change is huge and mainly seems to be quivalent to setting
>   SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few
>   other changes in there which may be due to the removal of the
>   compatibility code.
>   This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed
>   to manually fix it (attached is a version if anyone is interested).
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
>   31 files changed, 2975 insertions(+), 280 deletions(-)
>   Lots of changes in the tests but it also seems to contain some
>   cleanups related to the previous change, a change from lock_shm() to
>   XProcLock(), some moving of locks to /var/lock and a few other
>   changes.
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
>   23 files changed, 449 insertions(+), 99 deletions(-)
>   Includes a FAQ typo fix and the introduction of a lot of new code.
> - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
>   1 files changed, 3 insertions(+), 3 deletions(-)
>   Very small change in the Makfile which creates the lock directory.
>   Should not be relevant for Debian because subdirectories of /var/lock
>   should be created on the fly.
> 
> The changes are huge and can probably not be easily backported to
> Debian's 2.3.1. A few other options come to mind:
> - see if upstream can provide patches for 2.3.1
> - see if the necessary fixes can be made some other way
> - upgrade to upstream 2.4.2
> - remove from wheezy
> (the only reverse dependency for opencryptoki seems to be tpm-tools)
> 
> Anyway, I don't think I can do much more for this bug because I'm afraid
> it will take a little more time than I have available at the moment. I
> was having a look and I though I would just add my notes to the bug log.
> 
> Good luck with this bug! ;)

Removing opencryptoki from Wheezy seems best to me. We should't keep
outdated crypto toolkits without an active maintainer in the archive.

CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools
is usable withput opencryptoki or whether he's interested in adopting
it himself.

Cheers,
        Moritz

Message #20 received at 689417@bugs.debian.org (full text, mbox, reply):

From: Pierre Chifflier <pollux@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 689417@bugs.debian.org, pollux@debian.org

Subject: Re: Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455

Date: Wed, 31 Oct 2012 10:59:12 +0100

On Tue, Oct 30, 2012 at 06:21:07PM +0100, Moritz Muehlenhoff wrote:
> On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote:
> > On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote:
> > > Please see the thread starting at
> > > http://www.openwall.com/lists/oss-security/2012/09/07/2
> > > for details.
> > 
> > I've had a quick look at this bug to see if it can be fixed in Debian.
> > There are four patches referenced in the thread (I haven't verified if
> > there are more patches required):
> > 
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30
> >   32 files changed, 182 insertions(+), 1166 deletions(-)
> >   This change is huge and mainly seems to be quivalent to setting
> >   SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few
> >   other changes in there which may be due to the removal of the
> >   compatibility code.
> >   This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed
> >   to manually fix it (attached is a version if anyone is interested).
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9
> >   31 files changed, 2975 insertions(+), 280 deletions(-)
> >   Lots of changes in the tests but it also seems to contain some
> >   cleanups related to the previous change, a change from lock_shm() to
> >   XProcLock(), some moving of locks to /var/lock and a few other
> >   changes.
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a
> >   23 files changed, 449 insertions(+), 99 deletions(-)
> >   Includes a FAQ typo fix and the introduction of a lot of new code.
> > - http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15
> >   1 files changed, 3 insertions(+), 3 deletions(-)
> >   Very small change in the Makfile which creates the lock directory.
> >   Should not be relevant for Debian because subdirectories of /var/lock
> >   should be created on the fly.
> > 
> > The changes are huge and can probably not be easily backported to
> > Debian's 2.3.1. A few other options come to mind:
> > - see if upstream can provide patches for 2.3.1
> > - see if the necessary fixes can be made some other way
> > - upgrade to upstream 2.4.2
> > - remove from wheezy
> > (the only reverse dependency for opencryptoki seems to be tpm-tools)
> > 
> > Anyway, I don't think I can do much more for this bug because I'm afraid
> > it will take a little more time than I have available at the moment. I
> > was having a look and I though I would just add my notes to the bug log.
> > 
> > Good luck with this bug! ;)
> 
> Removing opencryptoki from Wheezy seems best to me. We should't keep
> outdated crypto toolkits without an active maintainer in the archive.
> 
> CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools
> is usable withput opencryptoki or whether he's interested in adopting
> it himself.
> 

Hi,

IMHO the best solution would be to upgrade opencryptoki, including
Wheezy. Trying to backport many patches will be complex to maintain and
will create a version that could be very different from upstream,
leading to bugs (on functionalities, and security).
tpm-tools can be compiled without opencryptoki, but this would disable
the pkcs#11 support and so loose some functionalities. Except the
dependency in debian/control, there should not be any other changes to
be done.

Cheers,
Pierre

Message #27 received at 689417-close@bugs.debian.org (full text, mbox, reply):

From: Dimitri John Ledkov <xnox@ubuntu.com>

To: 689417-close@bugs.debian.org

Subject: Bug#689417: fixed in opencryptoki 3.4.1+dfsg-1

Date: Mon, 08 Feb 2016 12:49:59 +0000

Source: opencryptoki
Source-Version: 3.4.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
opencryptoki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689417@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dimitri John Ledkov <xnox@ubuntu.com> (supplier of updated opencryptoki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Feb 2016 05:00:09 +0000
Source: opencryptoki
Binary: opencryptoki libopencryptoki0 libopencryptoki-dev
Architecture: source
Version: 3.4.1+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Dimitri John Ledkov <xnox@ubuntu.com>
Description:
 libopencryptoki-dev - PKCS#11 implementation (development)
 libopencryptoki0 - PKCS#11 implementation (library)
 opencryptoki - PKCS#11 implementation (daemon)
Closes: 689417
Changes:
 opencryptoki (3.4.1+dfsg-1) unstable; urgency=low
 .
   * QA upload.
   * Update debian/watch file.
   * New upstream release
     - Resolves CVE-2012-4454
     - Resolves CVE-2012-4455
     - Closes: #689417
   * Drop applied upstream, or no longer applicable patches:
     - 02-disable-user-handling.patch
     - 05-build-fix-for-kbsd.patch
     - 06-add-whatis-entry-to-manpages.patch
     - 07-add-manpage-for-pkcs_slot.patch
     - 0009-Fix-wrong-LIB_PATH.patch
     - 0010-Remove-one-hardcoded-lib64-path.patch
   * Enable systemd units.
   * Drop pkcs11_startup call and opencryptoki provides from the init
     script, adjust PIDFILE location to /var/run/pkcsslotd.pid and source
     lsb init-functions.
   * Add bison and flex build dependencies.
   * Do not change group permissions during install stage of the package
     build.
   * Install new opencryptoki.conf config file.
   * Drop dbg package, rely on the autogenerated one instead.
   * Bump debhelper compat to 9.
   * Rename opencryptoki init file to pkcsslotd, to match actuall daemon
     started and the systemd unit name.
   * Don't use full-path check for deluser, instead just call it
     unconditionally on removal, it's guarded with || true anyway.
   * Patch spelling typos.
   * Drop After=syslog.target from systemd unit file.
   * Simplify 04-pkcsslotd-cmdline-args.patch.
   * Add tmpfiles snippet, and mimic same in the init.d script.
   * Add libica-dev build-dependency on s390x.
   * Set standards version to 3.9.6.
Checksums-Sha1:
 ca94f5cbb49efdf77b35e12d5ebe6bc6d6976ed7 1725 opencryptoki_3.4.1+dfsg-1.dsc
 f0d9bbe84c5d9bd80fde9be4eed0c5733019743e 696217 opencryptoki_3.4.1+dfsg.orig.tar.gz
 fd97853d81d3529501e4981ec1c059c53a7840ba 14320 opencryptoki_3.4.1+dfsg-1.debian.tar.xz
Checksums-Sha256:
 1ca293565490505bf6a7f0d02c6f0b7f0a455c648a984c3c2fbeea7077c0f12d 1725 opencryptoki_3.4.1+dfsg-1.dsc
 1cce3dc6586eeed41f455d04cc2c1f17bf7e71245ed8d44deb3a6f80771d195d 696217 opencryptoki_3.4.1+dfsg.orig.tar.gz
 059af3f12989b562402a5ebab86a5cb0b9997039786640493700fc116010773f 14320 opencryptoki_3.4.1+dfsg-1.debian.tar.xz
Files:
 3d70b34a1907828a8f8a2790dbfa6bae 1725 admin optional opencryptoki_3.4.1+dfsg-1.dsc
 43c4f7d6e9dfd3e145bb4c5745b36467 696217 admin optional opencryptoki_3.4.1+dfsg.orig.tar.gz
 b7386cc84b131fd14c69be8724c60077 14320 admin optional opencryptoki_3.4.1+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJWuImnAAoJEMrC2LnNLKX5nT4H/39RxAxUQ4bS44rPwXtkyjki
h4CW3LHETKmaRltKGs50baNC4nY/W41TPk2nrz4T2EXk7Kqi5dJqYt09+a0Am6lC
aQkPZMAZs9jckxY3anMEKx1sIcFeZ7W9gMOY72LFnlT05Z88DqkDO4KsjPJIENhC
PRuynvWwvDmVs/lgP7I6RHRgbXhl1YusysuaENWIngm3AgIsVhjNtCfW1c4o/+ke
hX9PvTQyQxb6aKUKvhIo3yzx0GJ/hcTGfiVYgzMQmX6m4Ic0zKhGifZRZQDCy3Ge
3jrEIJxqakk9z0/SUBWtYpTQJaWDq017MXpP74J8AqcgwOV+F/Fv9+IBNHRY1wc=
=oSs5
-----END PGP SIGNATURE-----

Message #32 received at 689417@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 689417@bugs.debian.org

Subject: Re: opencryptoki: CVE-2012-4454 CVE-2012-4455

Date: Tue, 09 Feb 2016 12:15:02 -0000

Package: opencryptoki

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.8) - use target "oldstable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/689417/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.