polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Debian Bug report logs - #801413
polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Fri, 09 Oct 2015 22:02:21 +0200

Source: polarssl
Version: 1.2.8-2
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for polarssl.

CVE-2015-5291[0]:
Remote attack on clients using session tickets or SNI

It has been fixed in PolarSSL 1.2.17 branch, then the rebranded mbed
TLS 1.3.14 (and mbed TLS 2.1.2).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5291
[1] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01

Regards,
Salvatore

Message #10 received at 801413@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: 801413@bugs.debian.org

Subject: Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Fri, 09 Oct 2015 23:26:30 +0100

[Message part 1 (text/plain, inline)]

On Fri, 09 Oct 2015 22:02:21 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: polarssl
> Version: 1.2.8-2
> Severity: grave
> Tags: security upstream fixed-upstream
> 
> Hi,
> 
> the following vulnerability was published for polarssl.
> 
> CVE-2015-5291[0]:
> Remote attack on clients using session tickets or SNI

I believe this can be fixed by applying these 4 commits (although I'm
not sure if all of them are needed, and please double check):
https://github.com/ARMmbed/mbedtls/commit/c988f32adde62a169ba340fee0da15aecd40e76e
https://github.com/ARMmbed/mbedtls/commit/b1e325d6b2bd9c504536fbbd45dce348f0a6c40c
https://github.com/ARMmbed/mbedtls/commit/643a922c56b77235e88f106fb1b41c1a764cea5f
https://github.com/ARMmbed/mbedtls/commit/f3e6e4badb35760c9a543ee69b7449cb0cd9784b

This may be easier than packaging the new upstream version since that
requires an ABI break.

James

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 801413@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: security@debian.org

Cc: 801413@bugs.debian.org

Subject: Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Tue, 20 Oct 2015 18:28:43 +0100

[Message part 1 (text/plain, inline)]

Hi,

So I asked upstream about the specific commits which fixed this bug
here:
https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291

They seemed pretty resistive to the idea of just adding specific
patches on top of 1.3.9, and if you look at the changelog there are a
number of other security bugs which seem important but don't have CVEs
because they couldn't be triggered remotely.
https://github.com/ARMmbed/mbedtls/blob/mbedtls-1.3.14/ChangeLog

One thing which was suggested was to use 1.3.14 and then disable at
compile time all the new features which may affect the ABI and then
revert the SONAME change, but is doing that actually allowed for the
security archive or will the update be too big?

(I haven't actually done any of this yet, I'm just checking it'll be
OK before I spend my time on it)

Thanks,
James

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: James Cowgill <james410@cowgill.org.uk>

Cc: security@debian.org, 801413@bugs.debian.org

Subject: Re: Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Tue, 20 Oct 2015 19:37:20 +0200

* James Cowgill:

> They seemed pretty resistive to the idea of just adding specific
> patches on top of 1.3.9, and if you look at the changelog there are a
> number of other security bugs which seem important but don't have CVEs
> because they couldn't be triggered remotely.
> https://github.com/ARMmbed/mbedtls/blob/mbedtls-1.3.14/ChangeLog

I can sympathesize with that.  For example, I strongly recommend the
RSA-CRT hardening introduced in 1.3.13.

> One thing which was suggested was to use 1.3.14 and then disable at
> compile time all the new features which may affect the ABI and then
> revert the SONAME change, but is doing that actually allowed for the
> security archive or will the update be too big?

We can do that, but I don't know if it is a good idea to patch
cryptographic software in such extensive ways.

We can live with the addition of new symbols, but removal of symbols,
changes in struct sizes or offsets, and so on, would be hugely
problematic.  For are start, you could just build both the old and new
versions and run libabigail on them, to get an idea what actually did
change.

Florian

Message #25 received at 801413@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: Florian Weimer <fw@deneb.enyo.de>, 801413@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Wed, 21 Oct 2015 13:43:26 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Tue, 2015-10-20 at 19:37 +0200, Florian Weimer wrote:
> * James Cowgill:
[...]
> > One thing which was suggested was to use 1.3.14 and then disable at
> > compile time all the new features which may affect the ABI and then
> > revert the SONAME change, but is doing that actually allowed for the
> > security archive or will the update be too big?
> 
> We can do that, but I don't know if it is a good idea to patch
> cryptographic software in such extensive ways.
> 
> We can live with the addition of new symbols, but removal of symbols,
> changes in struct sizes or offsets, and so on, would be hugely
> problematic.  For are start, you could just build both the old and new
> versions and run libabigail on them, to get an idea what actually did
> change.

So I checked the ABI and had to revert a few commits. I've attached the
original libabigail diff (all against upstream versions) and the diff
after my patches. The variables don't look to me like they were ever
intended to be part of the public ABI so I don't think they're that
important.

My changes are here:
https://github.com/jcowgill/mbedtls/commits/debian-jessie-compatibility

Unfortunately there was quite a lot I had to do:
$ git diff --stat mbedtls-1.3.14 debian-jessie-compatibility
 include/polarssl/asn1.h                |   1 -
 include/polarssl/config.h              |   8 +-
 include/polarssl/pk.h                  |  13 ----
 include/polarssl/ssl.h                 |  49 +-----------
 include/polarssl/x509.h                |   1 +
 library/Makefile                       |  20 ++---
 library/pk.c                           |  26 -------
 library/pk_wrap.c                      |  56 +-------------
 library/ssl_cli.c                      |  15 ----
 library/ssl_srv.c                      |  10 +--
 library/ssl_tls.c                      |  43 +++--------
 library/x509.c                         |  56 ++++++--------
 library/x509_crt.c                     |   4 -
 programs/ssl/ssl_client1.c             |   2 -
 programs/ssl/ssl_client2.c             |  15 ----
 programs/ssl/ssl_fork_server.c         |   2 -
 programs/ssl/ssl_mail_client.c         |   2 -
 programs/ssl/ssl_pthread_server.c      |   2 -
 programs/ssl/ssl_server.c              |   2 -
 programs/ssl/ssl_server2.c             |  35 +--------
 tests/compat.sh                        |   2 +-
 tests/ssl-opt.sh                       | 136 ++++-----------------------------
 tests/suites/test_suite_pk.data        |  20 -----
 tests/suites/test_suite_pk.function    |  29 -------
 tests/suites/test_suite_x509parse.data |   6 +-
 25 files changed, 73 insertions(+), 482 deletions(-)

So any potential upload to jessie would include upstream 1.3.14, the
above patches, and the existing config changes in Debian's 1.3.9.

James

[abidiff-1.3.9-jcowgill (text/plain, attachment)]

[abidiff-1.3.9-1.3.14 (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 801413@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: 801413@bugs.debian.org

Subject: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Fri, 23 Oct 2015 21:53:59 +0100

[Message part 1 (text/plain, inline)]

Hi,

So regardless of the ABI issues affecting jessie, the first thing to do
is to fix this in unstable which can be done by just uploading 1.3.14
and doing an ABI transition.

I've attached a debdiff for an NMU to experimental which would start
this off. The orig tarball is not included in the diff to make it
easier to read. Instead it can be downloaded from upstream here

https://tls.mbed.org/download/mbedtls-1.3.14-gpl.tgz
sha1sum: 690ae3cc3da82cfc5530f5cb1f82bec0c778b5dc

So the package doesn't conflict with the mbedtls 2 package (in NEW),
and so none of the API is broken, the only thing changed was the SONAME
of the library and the package name. The symlinks used by ld and the
names of the binaries all keep the 'polarssl' name instead of being
renamed to 'mbedtls'.

Thanks,
James

[polarssl-1.3.14-0.1-nmu.diff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: James Cowgill <james410@cowgill.org.uk>

Cc: Florian Weimer <fw@deneb.enyo.de>, 801413@bugs.debian.org, security@debian.org

Subject: Re: Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Tue, 27 Oct 2015 22:29:31 +0100

On Wed, Oct 21, 2015 at 01:43:26PM +0100, James Cowgill wrote:
> Hi,
> 
> On Tue, 2015-10-20 at 19:37 +0200, Florian Weimer wrote:
> > * James Cowgill:
> [...]
> > > One thing which was suggested was to use 1.3.14 and then disable at
> > > compile time all the new features which may affect the ABI and then
> > > revert the SONAME change, but is doing that actually allowed for the
> > > security archive or will the update be too big?
> > 
> > We can do that, but I don't know if it is a good idea to patch
> > cryptographic software in such extensive ways.
> > 
> > We can live with the addition of new symbols, but removal of symbols,
> > changes in struct sizes or offsets, and so on, would be hugely
> > problematic.  For are start, you could just build both the old and new
> > versions and run libabigail on them, to get an idea what actually did
> > change.
> 
> So I checked the ABI and had to revert a few commits. I've attached the
> original libabigail diff (all against upstream versions) and the diff
> after my patches. The variables don't look to me like they were ever
> intended to be part of the public ABI so I don't think they're that
> important.

Could you test that the reverse build deps in jessie still build?
If so, I'd be fine with that approach for jessie.

For wheezy we can probably only make it end-of-life? There's
only two reverse deps (pdns and gatling).

Cheers,
        Moritz

Message #42 received at 801413-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: 801413-close@bugs.debian.org

Subject: Bug#801413: fixed in polarssl 1.3.14-0.1

Date: Mon, 02 Nov 2015 17:00:30 +0000

Source: polarssl
Source-Version: 1.3.14-0.1

We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <james410@cowgill.org.uk> (supplier of updated polarssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 23 Oct 2015 21:49:24 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libmbedtls9
Architecture: source amd64
Version: 1.3.14-0.1
Distribution: experimental
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: James Cowgill <james410@cowgill.org.uk>
Description:
 libmbedtls9 - lightweight crypto and SSL/TLS library
 libpolarssl-dev - lightweight crypto and SSL/TLS library
 libpolarssl-runtime - lightweight crypto and SSL/TLS library
Closes: 773306 781840 787324 801413
Changes:
 polarssl (1.3.14-0.1) experimental; urgency=high
 .
   * Non-maintainer upload.
   * New upstream release. (Closes: #787324)
     - The upstream project has been renamed to "mbed TLS", but for
       compatibility the binaries supplied by this package will still
       be called "polarssl" for the 1.3 series.
     - Fixes CVE-2015-5291: Remote attack on clients using session tickets or
       SNI. (Closes: #801413)
     - Fixes mips64el bignum implementation. (Closes: #773306)
     - Fixes parsing of certain PCKS#3 files. (Closes: #781840)
 .
   * Rename libpolarssl7 package to libmbedtls9 due to SONAME bump.
   * Drop CVE-2015-1182.patch - applied upstream.
Checksums-Sha1:
 e5fa935fb1ed693b916f0803a762c1c00db6e0fb 1838 polarssl_1.3.14-0.1.dsc
 690ae3cc3da82cfc5530f5cb1f82bec0c778b5dc 1744343 polarssl_1.3.14.orig.tar.gz
 cd0ff4fcdb714e3da60eb1cc74d780774839efeb 5492 polarssl_1.3.14-0.1.debian.tar.xz
 687295501f474cac75771b14c8b4a54c5ff00aa4 236712 libmbedtls9_1.3.14-0.1_amd64.deb
 34426148892053406e4f8b60f305e2249e12d1b6 340076 libpolarssl-dev_1.3.14-0.1_amd64.deb
 bdbe508e23917568cea6b6ee977badd8f72907a2 774126 libpolarssl-runtime_1.3.14-0.1_amd64.deb
Checksums-Sha256:
 2d86fcf2f9faf244351b312acdc39f408a393bb006a78139a77fdad5ca355090 1838 polarssl_1.3.14-0.1.dsc
 be76915bc406b4c4109629624baa5bf610a805d9976404e4086d44e5e6c86ff8 1744343 polarssl_1.3.14.orig.tar.gz
 202a2137465235cfe7a58d629bbc515a7c0d61ae8cd8fe3af64080ccccd58d3a 5492 polarssl_1.3.14-0.1.debian.tar.xz
 4d2ee23ce37598cdd3ff153968047fe7df2f7c1c4de72f015598ee3d41dc007a 236712 libmbedtls9_1.3.14-0.1_amd64.deb
 7488c51172117c3fecee56ce5569cc781eab1823455de3087d3d69766ea96ecd 340076 libpolarssl-dev_1.3.14-0.1_amd64.deb
 afe591665f62f08e4b38e2d02544f0c3b5c6bbe03a6663095eaf25f630d1596e 774126 libpolarssl-runtime_1.3.14-0.1_amd64.deb
Files:
 ec5428ad14d5e8f75546dd86ac321882 1838 libs optional polarssl_1.3.14-0.1.dsc
 869c7b5798b8769902880c7cf0212fed 1744343 libs optional polarssl_1.3.14.orig.tar.gz
 13af8f001c366b9f6d971dde6bf3332d 5492 libs optional polarssl_1.3.14-0.1.debian.tar.xz
 1e3c51b425e5aa2247a6bb1fb55898c9 236712 libs optional libmbedtls9_1.3.14-0.1_amd64.deb
 6b91e2000781063dc571e810595cfeb6 340076 libdevel optional libpolarssl-dev_1.3.14-0.1_amd64.deb
 9e85991737cb05bb1a907304c0244478 774126 libdevel optional libpolarssl-runtime_1.3.14-0.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWN03MAAoJEHxWrP6UeJfYvgQP/ikHaVVZJ3eEDBJz0EhrlDpI
J/cGgeE2o5A6bJRMmZy54e7swL2BGvtluSglsh+cr4kZjwoMuMZPvJvVjfqvP3l2
SZTKi3Z+qRcUGSmKt+088SPOFcsvY6joD/dxEx5ld3o8JrqgPVWe11BZgExt1cEB
zTi7DyAtP5GhUNHhbVpd+WXgK53hxjTyrhkHo5dHgneCk157Gc6wURZdCKQhM3iB
BMOQP3586N2UpgjTWN/wqQigJDAX/51XO3XmvHcBh4yORPNl9zfivRcYjkabutOj
hZxuM+0JSmR9e1eQ5iqmHP8ZyY6p9L+5yVWbNUGlXs1DkMGx+t//MSlWQ+2fwEjG
88pt81oMXq2lM4jlQQg8nCvnemQZbYLNvrsvYbWt2FrUNMlz6GgXwTyGLltY3wUf
P9RZG/3UqUzzimGq7UsYB8f6ZIHB5ZTOL6c7NaSEiF6pVa04psqWZ/vBM11PZmsF
RJRl3Xl81xOgDWqdoFsoifFd/ob8LT26glD2ZQzcDD3pMtmbfRnmq07jJO6nSSth
PKoADdNXYP1UiFLcCdSqknqIGDiboRltSdWpQugo8JVHBKt1UNv6r3ylepqei0Wg
mieDMJoYhprWwbu21QB5Avwkw4U3PzYF2SGlrbrvK8uVpCKo5GU8wFwY6mxh6S2f
jRPKWLWzEKDa/Q6curjX
=bJjM
-----END PGP SIGNATURE-----

Message #47 received at 801413@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 801413@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, security@debian.org

Subject: Re: Bug#801413: polarssl: CVE-2015-5291: Remote attack on clients using session tickets or SNI

Date: Mon, 09 Nov 2015 14:24:27 +0000

[Message part 1 (text/plain, inline)]

Hi,

On Tue, 2015-10-27 at 22:29 +0100, Moritz Mühlenhoff wrote:
> On Wed, Oct 21, 2015 at 01:43:26PM +0100, James Cowgill wrote:
> > Hi,
> > 
> > On Tue, 2015-10-20 at 19:37 +0200, Florian Weimer wrote:
> > > * James Cowgill:
> > [...]
> > > > One thing which was suggested was to use 1.3.14 and then disable at
> > > > compile time all the new features which may affect the ABI and then
> > > > revert the SONAME change, but is doing that actually allowed for the
> > > > security archive or will the update be too big?
> > > 
> > > We can do that, but I don't know if it is a good idea to patch
> > > cryptographic software in such extensive ways.
> > > 
> > > We can live with the addition of new symbols, but removal of symbols,
> > > changes in struct sizes or offsets, and so on, would be hugely
> > > problematic.  For are start, you could just build both the old and new
> > > versions and run libabigail on them, to get an idea what actually did
> > > change.
> > 
> > So I checked the ABI and had to revert a few commits. I've attached the
> > original libabigail diff (all against upstream versions) and the diff
> > after my patches. The variables don't look to me like they were ever
> > intended to be part of the public ABI so I don't think they're that
> > important.
> 
> Could you test that the reverse build deps in jessie still build?
> If so, I'd be fine with that approach for jessie.

Sorry it took a little longer than I expected, but here is a patch for
jessie. It can be applied on top of 1.3.14 in experimental.

The patch reverts the library rename in 1.3.14-0.1, applies the
compatability patch, and adds a call to dh_makeshlibs to ensure any
reverse dependencies emit a (>= 1.3.14) dependency since a small number
of symbols have been added in 1.3.14.

All the reverse dependencies build in jessie chroots except for
mongrel2 which FTBFS for unrelated reasons (see #804331 and #804385).

> For wheezy we can probably only make it end-of-life? There's
> only two reverse deps (pdns and gatling).

Upstream have bumped the SONAME of 1.2 as well do doing the same here
for wheezy could be a lot of work.

For this particular bug the fix seems to be a lot simpler though:
https://github.com/ARMmbed/mbedtls/commit/13ca8951f96f00750c9fda9928a9affcddcd342c

I also notice the above commit has been applied to squeeze-lts already.

Thanks,
James

[polarssl_1.3.14-0.1~deb8u1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Jan Niehusmann <jan@gondor.com>

To: 801413@bugs.debian.org

Subject: Re: Bug#801413: fixed in polarssl 1.3.14-0.1

Date: Mon, 30 Nov 2015 11:41:16 +0100

Hi,

as polarssl is is marked for autoremoval from testing on 2015-12-09
because of bug #801413, I wonder why the upload fixing the issue is only
in experimental. Is there a reason for not pushing it to unstable?

I'm asking because I'm the maintainer of two reverse dependencies.

Jan

Message #57 received at 801413@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: Jan Niehusmann <jan@gondor.com>

Cc: 801413@bugs.debian.org

Subject: Re: Bug#801413: fixed in polarssl 1.3.14-0.1

Date: Mon, 30 Nov 2015 12:21:02 +0000

[Message part 1 (text/plain, inline)]

Hi,

On Mon, 2015-11-30 at 11:41 +0100, Jan Niehusmann wrote:
> as polarssl is is marked for autoremoval from testing on 2015-12-09
> because of bug #801413, I wonder why the upload fixing the issue is only
> in experimental. Is there a reason for not pushing it to unstable?

That was the original plan I had, but after I talked to the release
team about it in #803997, it was decided to just leave polarssl, wait
for mbedtls to pass NEW (which it still hasn't) and then port all the
reverse dependencies to it.

In the end it should all work out for stretch, although it does mean
that polarssl + its rdeps might leave testing in the meantime.

Thanks,
James

[signature.asc (application/pgp-signature, inline)]

Message #62 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: team@security.debian.org

Cc: debian-lts@lists.debian.org, 801413@bugs.debian.org

Subject: wheezy: update for polarssl's CVE-2015-5291

Date: Sat, 23 Jan 2016 17:00:22 +0100

[Message part 1 (text/plain, inline)]

Hi,
I've forward ported Thorsten's fix fow squeeze to wheezy and added some
autopkgtest (debdiff attached). Please find the debdiff attached. I'd be
happy to upload ths to security master.
Cheers,
 -- Guido

[1.2.9-1~deb7u5.diff (text/x-diff, attachment)]

Message #67 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Guido Günther <agx@sigxcpu.org>, team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org

Subject: Re: wheezy: update for polarssl's CVE-2015-5291

Date: Fri, 29 Jan 2016 18:55:36 +0100

Hi Guido,

thanks for the debdiff. It looks OK, so feel free to upload it. Once
that's done, I'll release the DSA.

Cheers,

--Seb

On Jan/23, Guido Günther wrote:
> Hi,
> I've forward ported Thorsten's fix fow squeeze to wheezy and added some
> autopkgtest (debdiff attached). Please find the debdiff attached. I'd be
> happy to upload ths to security master.
> Cheers,
>  -- Guido

> diff --git a/debian/changelog b/debian/changelog
> index b52643b..b6c42f0 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +polarssl (1.2.9-1~deb7u6) wheezy-security; urgency=high
> +
> +  * Non-maintainer upload by the LTS Security Team.
> +  * CVE-2015-5291: Remote attack on clients using session tickets or SNI
> +
> + -- Guido Günther <agx@sigxcpu.org>  Sat, 23 Jan 2016 15:47:29 +0100
> +
>  polarssl (1.2.9-1~deb7u5) wheezy-security; urgency=high
>  
>    * Non-maintainer upload by the Security Team.
> diff --git a/debian/patches/CVE-2015-5291-1.patch b/debian/patches/CVE-2015-5291-1.patch
> new file mode 100644
> index 0000000..f1dc35c
> --- /dev/null
> +++ b/debian/patches/CVE-2015-5291-1.patch
> @@ -0,0 +1,27 @@
> +Index: polarssl-1.2.9/include/polarssl/ssl.h
> +===================================================================
> +--- polarssl-1.2.9.orig/include/polarssl/ssl.h	2015-10-22 15:42:52.000000000 +0200
> ++++ polarssl-1.2.9/include/polarssl/ssl.h	2015-10-22 15:44:14.000000000 +0200
> +@@ -123,6 +123,8 @@
> + #define SSL_LEGACY_ALLOW_RENEGOTIATION  1
> + #define SSL_LEGACY_BREAK_HANDSHAKE      2
> + 
> ++#define SSL_MAX_HOST_NAME_LEN           255 /*!< Maximum host name defined in RFC 1035 */
> ++
> + /*
> +  * Size of the input / output buffer.
> +  * Note: the RFC defines the default size of SSL / TLS messages. If you
> +Index: polarssl-1.2.9/library/ssl_tls.c
> +===================================================================
> +--- polarssl-1.2.9.orig/library/ssl_tls.c	2015-10-22 15:42:52.000000000 +0200
> ++++ polarssl-1.2.9/library/ssl_tls.c	2015-10-22 15:45:02.000000000 +0200
> +@@ -3260,6 +3260,9 @@
> +     if( ssl->hostname_len + 1 == 0 )
> +         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
> + 
> ++    if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN )
> ++        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
> ++
> +     ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
> + 
> +     if( ssl->hostname == NULL )
> diff --git a/debian/patches/series b/debian/patches/series
> index 929750e..06dd432 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -5,3 +5,11 @@
>  CVE-2014-4911.patch
>  CVE-2014-8628.patch
>  CVE-2015-1182.patch
> +
> +# fix for CVE-2015-5291
> +# -> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5291
> +CVE-2015-5291-1.patch
> +# vulnerable code not present
> +#CVE-2015-5291-2.patch
> +#CVE-2015-5291-3.patch
> +#CVE-2015-5291-4.patch
> diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch
> new file mode 100644
> index 0000000..f4d43ee
> --- /dev/null
> +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-2.patch
> @@ -0,0 +1,323 @@
> +diff --git a/library/ssl_cli.c b/library/ssl_cli.c
> +index f603cff..deeee33 100644
> +--- a/library/ssl_cli.c
> ++++ b/library/ssl_cli.c
> +@@ -65,6 +65,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
> +                                     size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> + 
> +     *olen = 0;
> + 
> +@@ -74,6 +75,12 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
> +                    ssl->hostname ) );
> + 
> ++    if( (size_t)(end - p) < ssl->hostname_len + 9 )
> ++    {
> ++         SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++         return;
> ++    }
> ++
> +     /*
> +      * struct {
> +      *     NameType name_type;
> +@@ -117,6 +124,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
> +                                          size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> + 
> +     *olen = 0;
> + 
> +@@ -125,6 +133,12 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
> + 
> ++    if( (size_t)(end - p) < 5 + ssl->verify_data_len )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     /*
> +      * Secure renegotiation
> +      */
> +@@ -151,6 +165,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
> +                                                 size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> +     size_t sig_alg_len = 0;
> + #if defined(POLARSSL_RSA_C) || defined(POLARSSL_ECDSA_C)
> +     unsigned char *sig_alg_list = buf + 6;
> +@@ -163,9 +178,54 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
> + 
> ++#if defined(POLARSSL_RSA_C)
> ++#if defined(POLARSSL_SHA512_C)
> ++    /* SHA512 + RSA signature, SHA384 + RSA signature */
> ++    sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA256_C)
> ++    /* SHA256 + RSA signature, SHA224 + RSA signature */
> ++    sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA1_C)
> ++    /* SHA1 + RSA signature */
> ++    sig_alg_len += 2;
> ++#endif
> ++#if defined(POLARSSL_MD5_C)
> ++    /* MD5 + RSA signature */
> ++    sig_alg_len += 2;
> ++#endif
> ++#endif /* POLARSSL_RSA_C */
> ++#if defined(POLARSSL_ECDSA_C)
> ++#if defined(POLARSSL_SHA512_C)
> ++    /* SHA512 + ECDSA signature, SHA384 + ECDSA signature */
> ++    sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA256_C)
> ++    /* SHA256 + ECDSA signature, SHA224 + ECDSA signature */
> ++    sig_alg_len += 4;
> ++#endif
> ++#if defined(POLARSSL_SHA1_C)
> ++    /* SHA1 + ECDSA signature */
> ++    sig_alg_len += 2;
> ++#endif
> ++#if defined(POLARSSL_MD5_C)
> ++    /* MD5 + ECDSA signature */
> ++    sig_alg_len += 2;
> ++#endif
> ++#endif /* POLARSSL_ECDSA_C */
> ++
> ++    if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     /*
> +      * Prepare signature_algorithms extension (TLS 1.2)
> +      */
> ++    sig_alg_len = 0;
> ++
> + #if defined(POLARSSL_RSA_C)
> + #if defined(POLARSSL_SHA512_C)
> +     sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
> +@@ -248,6 +308,7 @@ static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
> +                                                      size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> +     unsigned char *elliptic_curve_list = p + 6;
> +     size_t elliptic_curve_len = 0;
> +     const ecp_curve_info *info;
> +@@ -269,6 +330,25 @@ static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
> +     for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
> +     {
> + #endif
> ++        elliptic_curve_len += 2;
> ++    }
> ++
> ++    if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> ++    elliptic_curve_len = 0;
> ++
> ++#if defined(POLARSSL_SSL_SET_CURVES)
> ++    for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
> ++    {
> ++       info = ecp_curve_info_from_grp_id( *grp_id );
> ++#else
> ++    for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
> ++    {
> ++#endif
> + 
> +         elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
> +         elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
> +@@ -294,12 +374,18 @@ static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
> +                                                    size_t *olen )
> + {
> +     unsigned char *p = buf;
> +-    ((void) ssl);
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> + 
> +     *olen = 0;
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
> + 
> ++    if( end < p || (size_t)( end - p ) < 6 )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
> +     *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
> + 
> +@@ -319,14 +405,21 @@ static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
> +                                                size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> + 
> +-    if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE ) {
> +-        *olen = 0;
> ++    *olen = 0;
> ++
> ++    if( ssl->mfl_code == SSL_MAX_FRAG_LEN_NONE )
> +         return;
> +-    }
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
> + 
> ++    if( end < p || (size_t)( end - p ) < 5 )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
> +     *p++ = (unsigned char)( ( TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
> + 
> +@@ -344,15 +437,21 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
> +                                           unsigned char *buf, size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++
> ++    *olen = 0;
> + 
> +     if( ssl->trunc_hmac == SSL_TRUNC_HMAC_DISABLED )
> +-    {
> +-        *olen = 0;
> +         return;
> +-    }
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
> + 
> ++    if( end < p || (size_t)( end - p ) < 4 )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
> +     *p++ = (unsigned char)( ( TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
> + 
> +@@ -368,17 +467,25 @@ static void ssl_write_encrypt_then_mac_ext( ssl_context *ssl,
> +                                        unsigned char *buf, size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++
> ++    *olen = 0;
> + 
> +     if( ssl->encrypt_then_mac == SSL_ETM_DISABLED ||
> +         ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
> +     {
> +-        *olen = 0;
> +         return;
> +     }
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
> +                         "extension" ) );
> + 
> ++    if( end < p || (size_t)( end - p ) < 4 )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
> +     *p++ = (unsigned char)( ( TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
> + 
> +@@ -394,17 +501,25 @@ static void ssl_write_extended_ms_ext( ssl_context *ssl,
> +                                        unsigned char *buf, size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++
> ++    *olen = 0;
> + 
> +     if( ssl->extended_ms == SSL_EXTENDED_MS_DISABLED ||
> +         ssl->max_minor_ver == SSL_MINOR_VERSION_0 )
> +     {
> +-        *olen = 0;
> +         return;
> +     }
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
> +                         "extension" ) );
> + 
> ++    if( end < p || (size_t)( end - p ) < 4 )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
> +     *p++ = (unsigned char)( ( TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
> + 
> +@@ -420,16 +535,22 @@ static void ssl_write_session_ticket_ext( ssl_context *ssl,
> +                                           unsigned char *buf, size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> +     size_t tlen = ssl->session_negotiate->ticket_len;
> + 
> ++    *olen = 0;
> ++
> +     if( ssl->session_tickets == SSL_SESSION_TICKETS_DISABLED )
> +-    {
> +-        *olen = 0;
> +         return;
> +-    }
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
> + 
> ++    if( end < p || (size_t)( end - p ) < 4 + tlen )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
> +     *p++ = (unsigned char)( ( TLS_EXT_SESSION_TICKET      ) & 0xFF );
> + 
> +@@ -457,16 +578,26 @@ static void ssl_write_alpn_ext( ssl_context *ssl,
> +                                 unsigned char *buf, size_t *olen )
> + {
> +     unsigned char *p = buf;
> ++    const unsigned char *end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
> ++    size_t alpnlen = 0;
> +     const char **cur;
> + 
> ++    *olen = 0;
> ++
> +     if( ssl->alpn_list == NULL )
> +-    {
> +-        *olen = 0;
> +         return;
> +-    }
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
> + 
> ++    for( cur = ssl->alpn_list; *cur != NULL; cur++ )
> ++        alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
> ++
> ++    if( end < p || (size_t)( end - p ) < 6 + alpnlen )
> ++    {
> ++        SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> ++        return;
> ++    }
> ++
> +     *p++ = (unsigned char)( ( TLS_EXT_ALPN >> 8 ) & 0xFF );
> +     *p++ = (unsigned char)( ( TLS_EXT_ALPN      ) & 0xFF );
> + 
> diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch
> new file mode 100644
> index 0000000..52a0f4a
> --- /dev/null
> +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-3.patch
> @@ -0,0 +1,51 @@
> +diff --git a/ChangeLog b/ChangeLog
> +index 44f4408..ddba5c0 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,5 +1,15 @@
> + mbed TLS ChangeLog (Sorted per branch, date)
> + 
> ++= mbed TLS 1.3.14 released 2015-10-xx
> ++
> ++Security
> ++   * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer
> ++     overflow of the hostname or session ticket. (Found by Guido Vranken)
> ++
> ++Changes
> ++   * Added checking of hostname length in ssl_set_hostname() to ensure domain
> ++     names are compliant with RFC 1035.
> ++
> + = mbed TLS 1.3.13 reladsed 2015-09-17
> + 
> + Security
> +diff --git a/library/ssl_cli.c b/library/ssl_cli.c
> +index deeee33..ef86cd2 100644
> +--- a/library/ssl_cli.c
> ++++ b/library/ssl_cli.c
> +@@ -75,7 +75,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
> +                    ssl->hostname ) );
> + 
> +-    if( (size_t)(end - p) < ssl->hostname_len + 9 )
> ++    if( end < p || (size_t)( end - p ) < ssl->hostname_len + 9 )
> +     {
> +          SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> +          return;
> +@@ -877,13 +877,13 @@ static int ssl_write_client_hello( ssl_context *ssl )
> +     ext_len += olen;
> + #endif
> + 
> +-#if defined(POLARSSL_SSL_SESSION_TICKETS)
> +-    ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
> ++#if defined(POLARSSL_SSL_ALPN)
> ++    ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
> +     ext_len += olen;
> + #endif
> + 
> +-#if defined(POLARSSL_SSL_ALPN)
> +-    ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
> ++#if defined(POLARSSL_SSL_SESSION_TICKETS)
> ++    ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
> +     ext_len += olen;
> + #endif
> + 
> diff --git a/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch
> new file mode 100644
> index 0000000..2019491
> --- /dev/null
> +++ b/debian/patches/vulernable-code-not-present/CVE-2015-5291-4.patch
> @@ -0,0 +1,13 @@
> +diff --git a/library/ssl_cli.c b/library/ssl_cli.c
> +index 39dc02e..ef86cd2 100644
> +--- a/library/ssl_cli.c
> ++++ b/library/ssl_cli.c
> +@@ -133,7 +133,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
> + 
> +     SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
> + 
> +-    if( end < p || (size_t)(end - p) < 5 + ssl->verify_data_len )
> ++    if( (size_t)(end - p) < 5 + ssl->verify_data_len )
> +     {
> +         SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
> +         return;
> diff --git a/debian/tests/build-test b/debian/tests/build-test
> new file mode 100755
> index 0000000..42b7127
> --- /dev/null
> +++ b/debian/tests/build-test
> @@ -0,0 +1,10 @@
> +#!/usr/bin/make -f
> +
> +CFLAGS	= -O2 -D_FILE_OFFSET_BITS=64 -Wall
> +LDFLAGS	+= -lpolarssl
> +
> +a.out: programs/hash/hello.c
> +	$(CC) $(CFLAGS) $(OFLAGS) $< $(LDFLAGS)
> +	@echo "Build test of $< succeeded"
> +	./a.out
> +	@rm -f a.out
> diff --git a/debian/tests/control b/debian/tests/control
> new file mode 100644
> index 0000000..9b777fd
> --- /dev/null
> +++ b/debian/tests/control
> @@ -0,0 +1,5 @@
> +Tests: smoke
> +Depends: libpolarssl-runtime
> +
> +Tests: build-test
> +Depends: libpolarssl-dev
> diff --git a/debian/tests/smoke b/debian/tests/smoke
> new file mode 100755
> index 0000000..03df087
> --- /dev/null
> +++ b/debian/tests/smoke
> @@ -0,0 +1,17 @@
> +#!/bin/sh
> +
> +set -e
> +
> +# Excercise some of the demos
> +polarssl_hello
> +polarssl_mpi_demo
> +
> +# Make sure output is identical to coreutil versions
> +[ "$(polarssl_sha1sum /etc/passwd)" = "$(sha1sum /etc/passwd)" ]
> +[ "$(polarssl_md5sum /etc/passwd)" = "$(md5sum /etc/passwd)" ]
> +
> +# Run the selftest
> +polarssl_selftest
> +
> +echo 'Smoke test of polarssl succesful'
> +exit 0

Message #72 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Guido Günther <agx@sigxcpu.org>, team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org

Subject: Re: wheezy: update for polarssl's CVE-2015-5291

Date: Sun, 31 Jan 2016 09:12:38 +0100

On Jan/29, Sébastien Delafond wrote:
> thanks for the debdiff. It looks OK, so feel free to upload it. Once
> that's done, I'll release the DSA.

Hi Guido,

are you still willing to upload polarssl to security-master ? :)

Cheers,

--Seb

Message #77 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Sébastien Delafond <seb@debian.org>

Cc: team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org

Subject: Re: wheezy: update for polarssl's CVE-2015-5291

Date: Sun, 31 Jan 2016 19:39:25 +0100

On Sun, Jan 31, 2016 at 09:12:38AM +0100, Sébastien Delafond wrote:
> On Jan/29, Sébastien Delafond wrote:
> > thanks for the debdiff. It looks OK, so feel free to upload it. Once
> > that's done, I'll release the DSA.
> 
> Hi Guido,
> 
> are you still willing to upload polarssl to security-master ? :)

Uploaded now. Thanks!
 -- Guido

Message #82 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Guido Günther <agx@sigxcpu.org>, team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org

Subject: Re: wheezy: update for polarssl's CVE-2015-5291

Date: Mon, 1 Feb 2016 09:51:54 +0100

On Jan/31, Guido Günther wrote:
> Uploaded now. Thanks!

Hi Guido,

have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
not, I'll need to look into it later this week, so that a DSA for
CVE-2015-5291 fixes both wheezy and jessie.

Cheers,

--Seb

Message #87 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Sébastien Delafond <seb@debian.org>

Cc: team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org

Subject: Re: wheezy: update for polarssl's CVE-2015-5291

Date: Fri, 5 Feb 2016 14:24:44 +0100

[Message part 1 (text/plain, inline)]

Hi,
On Mon, Feb 01, 2016 at 09:51:54AM +0100, Sébastien Delafond wrote:
> On Jan/31, Guido Günther wrote:
> > Uploaded now. Thanks!
> 
> Hi Guido,
> 
> have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
> not, I'll need to look into it later this week, so that a DSA for
> CVE-2015-5291 fixes both wheezy and jessie.

Debdiff attached. It's far more intrusive since we also have to deal
with CVE-2015-8036.

James you alread discussed the best way forward at

    https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291

with upstream so I'm very interesed in your opinion on this as well.
Cheers,
 -- Guido

[1.3.9-2.2.diff (text/x-diff, attachment)]

Message #92 received at 801413@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <james410@cowgill.org.uk>

To: Guido Günther <agx@sigxcpu.org>

Cc: team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org, Sébastien Delafond <seb@debian.org>

Subject: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291

Date: Fri, 05 Feb 2016 20:44:37 +0000

[Message part 1 (text/plain, inline)]

Hi!

On Fri, 2016-02-05 at 14:24 +0100, Guido Günther wrote:
> Hi,
> On Mon, Feb 01, 2016 at 09:51:54AM +0100, Sébastien Delafond wrote:
> > On Jan/31, Guido Günther wrote:
> > > Uploaded now. Thanks!
> > 
> > Hi Guido,
> > 
> > have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
> > not, I'll need to look into it later this week, so that a DSA for
> > CVE-2015-5291 fixes both wheezy and jessie.
> 
> Debdiff attached. It's far more intrusive since we also have to deal
> with CVE-2015-8036.
> 
> James you alread discussed the best way forward at
> 
>     https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291
> 
> with upstream so I'm very interesed in your opinion on this as well.

Upstream would obviously like Debian to use the point releases of
polarssl, but they broke the ABI in the 1.3 series since 1.3.9 so we
can't use them directly. I had a go at reverting the ABI breaking
changes and I posted my attempt earlier to this bug report, but the
changes I had to make were very intrusive and they'll probably have to
fixed up again every time there is a new release.

I'm beginning to feel like cherry picking the CVE related fixes (like
you've done) is probably the best solution, especially since this has
already taken some time to fix.

A few things on the debdiff you just posted:
- The attachment came though in ISO-8859-1 instead of UTF-8 and
  lintian didn't like it. Hopefully the file is ok on your machine
  though.
- I think the ssl-server-test needs an 'isolation-container'
  restriction since it opens TCP ports.

Thanks,
James

[signature.asc (application/pgp-signature, inline)]

Message #97 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: James Cowgill <james410@cowgill.org.uk>

Cc: team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org, Sébastien Delafond <seb@debian.org>

Subject: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291

Date: Sat, 6 Feb 2016 11:40:45 +0100

Hi,
On Fri, Feb 05, 2016 at 08:44:37PM +0000, James Cowgill wrote:
> Hi!
> 
> On Fri, 2016-02-05 at 14:24 +0100, Guido Günther wrote:
> > Hi,
> > On Mon, Feb 01, 2016 at 09:51:54AM +0100, Sébastien Delafond wrote:
> > > On Jan/31, Guido Günther wrote:
> > > > Uploaded now. Thanks!
> > > 
> > > Hi Guido,
> > > 
> > > have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
> > > not, I'll need to look into it later this week, so that a DSA for
> > > CVE-2015-5291 fixes both wheezy and jessie.
> > 
> > Debdiff attached. It's far more intrusive since we also have to deal
> > with CVE-2015-8036.
> > 
> > James you alread discussed the best way forward at
> > 
> >     https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291
> > 
> > with upstream so I'm very interesed in your opinion on this as well.
> 
> Upstream would obviously like Debian to use the point releases of
> polarssl, but they broke the ABI in the 1.3 series since 1.3.9 so we
> can't use them directly. I had a go at reverting the ABI breaking
> changes and I posted my attempt earlier to this bug report, but the
> changes I had to make were very intrusive and they'll probably have to
> fixed up again every time there is a new release.

From what I read and figured from the Git commits I wonder if we should
open CVEs for the other fixes in 1.3.14 too?

> I'm beginning to feel like cherry picking the CVE related fixes (like
> you've done) is probably the best solution, especially since this has
> already taken some time to fix.

Yeah, I think we should go ahead an fix these and rather revisit the
problem in case we have more issues to fix.

> 
> A few things on the debdiff you just posted:
> - The attachment came though in ISO-8859-1 instead of UTF-8 and
>   lintian didn't like it. Hopefully the file is ok on your machine
>   though.
> - I think the ssl-server-test needs an 'isolation-container'
>   restriction since it opens TCP ports.

Good point, isolation-container restricction added.
Cheers,
 -- Guido

Message #102 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Guido Günther <agx@sigxcpu.org>, James Cowgill <james410@cowgill.org.uk>, team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org

Subject: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291

Date: Sat, 6 Feb 2016 11:42:34 +0100

On Feb/06, Guido Günther wrote:
> > A few things on the debdiff you just posted:
> > - The attachment came though in ISO-8859-1 instead of UTF-8 and
> >   lintian didn't like it. Hopefully the file is ok on your machine
> >   though.
> > - I think the ssl-server-test needs an 'isolation-container'
> >   restriction since it opens TCP ports.

Hi Guido,

can I get the updated debdiff ? I'm about to review it.

Cheers,

--Seb

Message #107 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Sébastien Delafond <seb@debian.org>

Cc: 801413@bugs.debian.org

Subject: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291

Date: Sat, 6 Feb 2016 11:48:58 +0100

[Message part 1 (text/plain, inline)]

On Sat, Feb 06, 2016 at 11:42:34AM +0100, Sébastien Delafond wrote:
> On Feb/06, Guido Günther wrote:
> > > A few things on the debdiff you just posted:
> > > - The attachment came though in ISO-8859-1 instead of UTF-8 and
> > >   lintian didn't like it. Hopefully the file is ok on your machine
> > >   though.
> > > - I think the ssl-server-test needs an 'isolation-container'
> > >   restriction since it opens TCP ports.
> 
> Hi Guido,
> 
> can I get the updated debdiff ? I'm about to review it.

Attached. I've trimmed the CC: list a little to reduce the noise. Feel
free to readd lists as you see fit.

Cheers,
 -- Guido

[1.3.9-2.2.diff (text/x-diff, attachment)]

Message #112 received at 801413@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Guido Günther <agx@sigxcpu.org>

Cc: 801413@bugs.debian.org

Subject: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291

Date: Sat, 6 Feb 2016 13:59:21 +0100

On Feb/06, Guido Günther wrote:
> Attached. I've trimmed the CC: list a little to reduce the noise. Feel
> free to readd lists as you see fit.

All good, please upload.

Cheers,

--Seb

Message #117 received at 801413-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: 801413-close@bugs.debian.org

Subject: Bug#801413: fixed in polarssl 1.3.9-2.1+deb8u1

Date: Wed, 10 Feb 2016 22:17:07 +0000

Source: polarssl
Source-Version: 1.3.9-2.1+deb8u1

We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated polarssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 05 Feb 2016 13:41:23 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl7
Architecture: source
Version: 1.3.9-2.1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Guido Günther <agx@sigxcpu.org>
Closes: 801413
Description: 
 libpolarssl7 - lightweight crypto and SSL/TLS library
 libpolarssl-dev - lightweight crypto and SSL/TLS library
 libpolarssl-runtime - lightweight crypto and SSL/TLS library
Changes:
 polarssl (1.3.9-2.1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Backport patches for CVE-2015-5291 and CVE-2015-8036
     (Closes: #801413)
   * Add simple smoke test
Checksums-Sha1: 
 5cca94595fad469f4db2fe5dcb01a9c3bee282b0 1866 polarssl_1.3.9-2.1+deb8u1.dsc
 3462b4455e1443ac1a1007fbd69861ebfb5c5506 1741396 polarssl_1.3.9.orig.tar.gz
 5a1c499f6b3308efe985d4778aaf3f6d108ac673 8844 polarssl_1.3.9-2.1+deb8u1.debian.tar.xz
Checksums-Sha256: 
 d5495ac3ea1daf3c692095bd378cd9828a8a08bbde22d1d01592a71dc563b4bb 1866 polarssl_1.3.9-2.1+deb8u1.dsc
 d3605afc28ed4b7d1d9e3142d72e42855e4a23c07c951bbb0299556b02d36755 1741396 polarssl_1.3.9.orig.tar.gz
 a82ea0b17baee04e84c9d1ff798e98a56fb7868d7a465797e4c383f767622023 8844 polarssl_1.3.9-2.1+deb8u1.debian.tar.xz
Files: 
 a1a14db34e03ef2c4d6727f5ffa72315 1866 libs optional polarssl_1.3.9-2.1+deb8u1.dsc
 48af7d1f0d5de512cbd6dacf5407884c 1741396 libs optional polarssl_1.3.9.orig.tar.gz
 217fee58d15b80c4f9a9b87b100abf49 8844 libs optional polarssl_1.3.9-2.1+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJWthUUAAoJEAe4t7DqmBIL8WMP/1TW8g2d52ty0ZVhfP2gCSpF
0AJ83uvTjHGR+O3akI+44TTFkwmW+aGkleErIRk9S6V9Ru6OyLSjyBg9zuGshYU7
BG+HPMhzUbZ2wTc7gdBoYwetjE8MYMgof23bFVSZtJPtxJH5T5Upaz8qi7U9FDtM
lTjqw2p+xFwZLJmiXiq4ULi6gtv4mykV6yH55RabXbl1u31UjXiTItxmlFEvzvWv
NxXE/J62MzPZPoNZ/8wXNPApiQW5JfEiSw+3WPcO8cf/acgr9+6YPJUbBB+pi2M4
eZOT08XhzGJaEbldSWb4U6xEm+rEFb/tYv55fW+VGVwXMOhrN4CCaN4/Ej1ZcpgD
NNCVpsKI2HZxwGw0Pxm5xoKkc5blG9HHReKAkXHhebtuIfXGzeHs8AkXYzzhSkD8
55vp9xLscDj7R72YuZ8lcLV4lRJzkt6V5r/FWZxoroySZvWPgWCyyDprRmBimoik
fJ+0snd4NrOLpBkX48A4/OjtmoUiij9JfvRQcLrsy3Rmx8okUD5Ze/3tXh4cx8fI
+3oX9D0I7hfQpA3gPp3lBrTAYZlCNdWP83T6XiCYCyDbVvVvJnD8wh5Am+ytoJwu
dV41cXMiU7EHZdFOAdJJ50QM9K7Yi76xTrXnU7iz1LplBJmSvU9oDE06sttylwkR
Sb3gPCagXctamhLiWvyu
=TGMn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.