boinc: Does not check the RSA_public_decrypt() return value.

Debian Bug report logs - #511521
boinc: Does not check the RSA_public_decrypt() return value.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: submit@bugs.debian.org

Subject: boinc: Does not check the RSA_public_decrypt() return value.

Date: Sun, 11 Jan 2009 20:52:38 +0100

Package: boinc
Severity: serious
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.  In lib/crypt.C there
is this code:
int decrypt_public(R_RSA_PUBLIC_KEY& key, DATA_BLOCK& in, DATA_BLOCK& out) {
    RSA* rp = RSA_new();
    public_to_openssl(key, rp);
    RSA_public_decrypt(in.len, in.data, out.data, rp, RSA_PKCS1_PADDING);
    out.len = RSA_size(rp);
    return 0;
}

So it's not checking the return value of RSA_public_decrypt() which
returns the the size of the recovered message digest on success
and -1 on failure.

I have no idea if this code is being used and what the consequences
of this might be.


Kurt

Message #12 received at 511521@bugs.debian.org (full text, mbox, reply):

From: <marcos.marado@sonae.com>

To: <511521@bugs.debian.org>

Subject: RE: boinc: Does not check the RSA_public_decrypt() return value.

Date: Tue, 13 Jan 2009 14:53:45 +0000

Upstream has a fix for this:
http://boinc.berkeley.edu/trac/changeset/16883

Best regards,
-- 
Marcos Marado

Message #17 received at 511521@bugs.debian.org (full text, mbox, reply):

From: Steffen Moeller <moeller@inb.uni-luebeck.de>

To: marcos.marado@sonae.com, 511521@bugs.debian.org

Subject: Re: Bug#511521: boinc: Does not check the RSA_public_decrypt() return value.

Date: Tue, 13 Jan 2009 16:24:27 +0100

marcos.marado@sonae.com wrote:
> Upstream has a fix for this:
> http://boinc.berkeley.edu/trac/changeset/16883

and they have introduced another since it may be "en- or decryption", not only
"encryption" as their error message indicates.

Whenever there is the next Debian release, this bug will be closed, I'd say.

Many thanks for spotting this.

Steffen

Message #22 received at 511521@bugs.debian.org (full text, mbox, reply):

From: Rene Mayorga <rmayorga@debian.org.sv>

To: Steffen Moeller <moeller@inb.uni-luebeck.de>, 511521@bugs.debian.org

Subject: Re: Bug#511521: boinc: Does not check the RSA_public_decrypt() return value.

Date: Tue, 13 Jan 2009 09:43:55 -0600

[Message part 1 (text/plain, inline)]

On Tue, Jan 13, 2009 at 04:24:27PM +0100, Steffen Moeller wrote:
> marcos.marado@sonae.com wrote:
> > Upstream has a fix for this:
> > http://boinc.berkeley.edu/trac/changeset/16883
> 
> and they have introduced another since it may be "en- or decryption", not only
> "encryption" as their error message indicates.

They check already for "en- or decryption" as you said, perhaps just
changing ERR_CRYPTO to show this.
I was about to port this fix to 6.2.14-2, are everybody ok with this?

Cheers
-- 
Rene Mauricio Mayorga   |  jabber: rmayorga@jabber.org
http://rmayorga.org     |  
--------------------------------------------------
08B6 58AB A691 DD56 C30B  8D37 8040 19FA A209 C305

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 511521@bugs.debian.org (full text, mbox, reply):

From: Steffen Moeller <moeller@inb.uni-luebeck.de>

To: Rene Mayorga <rmayorga@debian.org.sv>, 511521@bugs.debian.org

Subject: Re: Bug#511521: boinc: Does not check the RSA_public_decrypt() return value.

Date: Tue, 13 Jan 2009 17:26:12 +0100

Rene Mayorga wrote:
> On Tue, Jan 13, 2009 at 04:24:27PM +0100, Steffen Moeller wrote:
>> marcos.marado@sonae.com wrote:
>>> Upstream has a fix for this:
>>> http://boinc.berkeley.edu/trac/changeset/16883
>> and they have introduced another since it may be "en- or decryption", not only
>> "encryption" as their error message indicates.
> 
> They check already for "en- or decryption" as you said, perhaps just
> changing ERR_CRYPTO to show this.
> I was about to port this fix to 6.2.14-2, are everybody ok with this?

I personally think that you should save your energy. Upstream will release a new version
any time soon. That version will have that patch and I'd wait for that.

Best,

Steffen

Message #32 received at 511521@bugs.debian.org (full text, mbox, reply):

From: "Frank S. Thomas" <fst@debian.org>

To: 511521@bugs.debian.org

Subject: Re: Bug#511521: boinc: Does not check the RSA_public_decrypt() return value.

Date: Tue, 13 Jan 2009 18:15:46 +0100

[Message part 1 (text/plain, inline)]

On Tuesday 13 January 2009 16:43:55 Rene Mayorga wrote:
> I was about to port this fix to 6.2.14-2, are everybody ok with this?

FWIW: I'm ok with backporting this to the current version in Lenny.

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 511521@bugs.debian.org (full text, mbox, reply):

From: Steffen Moeller <moeller@inb.uni-luebeck.de>

To: 511521@bugs.debian.org

Subject: Re: Bug#511521: boinc: Does not check the RSA_public_decrypt() return value.

Date: Tue, 13 Jan 2009 18:29:10 +0100

Frank S. Thomas wrote:
> On Tuesday 13 January 2009 16:43:55 Rene Mayorga wrote:
>> I was about to port this fix to 6.2.14-2, are everybody ok with this?
> 
> FWIW: I'm ok with backporting this to the current version in Lenny.

Lenny should not be without it, good point.  My comment referred to my preference to use a
newer upstream version and keep the Debian packaging bits as simple as possible.

Best,

Steffen

Message #42 received at 511521@bugs.debian.org (full text, mbox, reply):

From: Rene Mayorga <rmayorga@debian.org.sv>

To: Steffen Moeller <moeller@inb.uni-luebeck.de>, 511521@bugs.debian.org

Subject: Re: Bug#511521: boinc: Does not check the RSA_public_decrypt() return value.

Date: Tue, 13 Jan 2009 11:48:00 -0600

[Message part 1 (text/plain, inline)]

On Tue, Jan 13, 2009 at 06:29:10PM +0100, Steffen Moeller wrote:
> Frank S. Thomas wrote:
> > On Tuesday 13 January 2009 16:43:55 Rene Mayorga wrote:
> >> I was about to port this fix to 6.2.14-2, are everybody ok with this?
> > 
> > FWIW: I'm ok with backporting this to the current version in Lenny.
> 
> Lenny should not be without it, good point.  My comment referred to my preference to use a
> newer upstream version and keep the Debian packaging bits as simple as possible.
> 

The changes are quite simple, I have this on a local branch, and
planning to merge it with master. I did not change anything on the
Debian packaging, just add a new patch that quilt manage like a breeze.

I'll ask for sponsorship on pkg-boinc after I test the packages.

Cheers
-- 
Rene Mauricio Mayorga   |  jabber: rmayorga@jabber.org
http://rmayorga.org     |  
--------------------------------------------------
08B6 58AB A691 DD56 C30B  8D37 8040 19FA A209 C305

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 511521@bugs.debian.org (full text, mbox, reply):

From: Rene Mayorga <rmayorga@debian.org.sv>

To: 511521@bugs.debian.org

Subject: Re: Bug#511521: boinc: Does not check the RSA_public_decrypt() return value.

Date: Thu, 15 Jan 2009 00:09:11 -0600

[Message part 1 (text/plain, inline)]

On Tue, Jan 13, 2009 at 11:48:00AM -0600, Rene Mayorga wrote:
> On Tue, Jan 13, 2009 at 06:29:10PM +0100, Steffen Moeller wrote:
> > Frank S. Thomas wrote:
> > > On Tuesday 13 January 2009 16:43:55 Rene Mayorga wrote:
> > >> I was about to port this fix to 6.2.14-2, are everybody ok with this?
> > > 
> > > FWIW: I'm ok with backporting this to the current version in Lenny.
> > 
> > Lenny should not be without it, good point.  My comment referred to my preference to use a
> > newer upstream version and keep the Debian packaging bits as simple as possible.
> > 
> 
> The changes are quite simple, I have this on a local branch, and
> planning to merge it with master. I did not change anything on the
> Debian packaging, just add a new patch that quilt manage like a breeze.

this changes are now merged on master.

Cheers.
-- 
Rene Mauricio Mayorga   |  jabber: rmayorga@jabber.org
http://rmayorga.org     |  
--------------------------------------------------
08B6 58AB A691 DD56 C30B  8D37 8040 19FA A209 C305

[signature.asc (application/pgp-signature, inline)]

Message #56 received at 511521-close@bugs.debian.org (full text, mbox, reply):

From: Rene Mayorga <rmayorga@debian.org>

To: 511521-close@bugs.debian.org

Subject: Bug#511521: fixed in boinc 6.2.14-3

Date: Mon, 19 Jan 2009 04:17:06 +0000

Source: boinc
Source-Version: 6.2.14-3

We believe that the bug you reported is fixed in the latest version of
boinc, which is due to be installed in the Debian FTP archive:

boinc-client_6.2.14-3_i386.deb
  to pool/main/b/boinc/boinc-client_6.2.14-3_i386.deb
boinc-dbg_6.2.14-3_i386.deb
  to pool/main/b/boinc/boinc-dbg_6.2.14-3_i386.deb
boinc-dev_6.2.14-3_i386.deb
  to pool/main/b/boinc/boinc-dev_6.2.14-3_i386.deb
boinc-manager_6.2.14-3_i386.deb
  to pool/main/b/boinc/boinc-manager_6.2.14-3_i386.deb
boinc_6.2.14-3.diff.gz
  to pool/main/b/boinc/boinc_6.2.14-3.diff.gz
boinc_6.2.14-3.dsc
  to pool/main/b/boinc/boinc_6.2.14-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Mayorga <rmayorga@debian.org> (supplier of updated boinc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 13 Jan 2009 14:05:38 -0600
Source: boinc
Binary: boinc-client boinc-manager boinc-dev boinc-dbg
Architecture: source i386
Version: 6.2.14-3
Distribution: unstable
Urgency: low
Maintainer: Debian BOINC Maintainers <pkg-boinc-devel@lists.alioth.debian.org>
Changed-By: Rene Mayorga <rmayorga@debian.org>
Description: 
 boinc-client - core client for the BOINC distributed computing infrastructure
 boinc-dbg  - debugging symbols for BOINC binaries
 boinc-dev  - development files to build applications for BOINC projects
 boinc-manager - GUI to control and monitor the BOINC core client
Closes: 511521
Changes: 
 boinc (6.2.14-3) unstable; urgency=low
 .
   * Add debian/patches/101_check_RSA_returned_values.patch
     Check the returned values for RSA_public_decrypt and
     RSA_private_encrypt functions. Change ported by upstream changeset 16883
     (http://boinc.berkeley.edu/trac/changeset/16883) Closes: #511521
   * debian/patches
     001_dont_install_ca-bundle.crt.patch and
     002_remove_hardcoded_optimization.patch Refreshed
   * debian/control - add myself to uploaders
Checksums-Sha1: 
 9c3d6eadb61b3f89c967fd51d266e0b39c6e2317 1650 boinc_6.2.14-3.dsc
 3ca3b3f6916cc652c92c3738a53c4e72d6427a4d 110051 boinc_6.2.14-3.diff.gz
 9fecd7a1addca6d9391757f05aa360317b3e1b6a 385642 boinc-client_6.2.14-3_i386.deb
 7b8b0109d297c24990d91f53b840c2fdc390d42a 1802676 boinc-manager_6.2.14-3_i386.deb
 95ce435db4bf85fa4218831d7c69aea6520f4128 369820 boinc-dev_6.2.14-3_i386.deb
 38b4f7b41ae48143ec8d8a3a702d8f27b2cd386b 6766612 boinc-dbg_6.2.14-3_i386.deb
Checksums-Sha256: 
 a4ca6afe64db0bf3b397646604b264cae1dafcc354d2389795af859856b48619 1650 boinc_6.2.14-3.dsc
 5f266582de65200646f63c6827ce10105c5992317e08ef47ceafde18471ab65a 110051 boinc_6.2.14-3.diff.gz
 4383eb88ca792e7f8f97e07e1ab4ecc59e370865315ee90060ff9576d7cfbbca 385642 boinc-client_6.2.14-3_i386.deb
 3a5b6b04765ff6e8f6fca437639e373152f3658f0ad95d2356b985c1698ccda2 1802676 boinc-manager_6.2.14-3_i386.deb
 518ed74e994bb420915933843ab0fceba1d3dc570a98d3ca30221776c8137cdf 369820 boinc-dev_6.2.14-3_i386.deb
 5edf8382e44e397ca91586cbd297a6b299633edd0c711509c15180738e07f88c 6766612 boinc-dbg_6.2.14-3_i386.deb
Files: 
 51b11c2cb665911096b79ce47b790178 1650 net optional boinc_6.2.14-3.dsc
 c66dd21b8d1bf6096e07b2fd3f42c99d 110051 net optional boinc_6.2.14-3.diff.gz
 a76d734a203916c384fc5e967445af15 385642 net optional boinc-client_6.2.14-3_i386.deb
 e759cc4369cd55986cc7f22b51ce1333 1802676 x11 optional boinc-manager_6.2.14-3_i386.deb
 02fde5eba11f9f7cf49d2dcf916704b4 369820 devel optional boinc-dev_6.2.14-3_i386.deb
 8e0a52ddefb3a5af40eee58e6b9f249f 6766612 devel extra boinc-dbg_6.2.14-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklz+d0ACgkQgEAZ+qIJwwU+2QCeNAfJIKvVZTkBFhAJTr4Jxgev
yTUAniRfkBuqFWLwMxmGnzFUV8BzuKBU
=X7Ds
-----END PGP SIGNATURE-----

Message #61 received at 511521-close@bugs.debian.org (full text, mbox, reply):

From: <rmayorga@debian.org>

To: 511521-close@bugs.debian.org

Subject: Bug#511521: fixed in boinc 5.4.11-4+etch4

Date: Sun, 15 Mar 2009 19:54:19 +0000

Source: boinc
Source-Version: 5.4.11-4+etch4

We believe that the bug you reported is fixed in the latest version of
boinc, which is due to be installed in the Debian FTP archive:

boinc-client_5.4.11-4+etch4_i386.deb
  to pool/main/b/boinc/boinc-client_5.4.11-4+etch4_i386.deb
boinc-dev_5.4.11-4+etch4_i386.deb
  to pool/main/b/boinc/boinc-dev_5.4.11-4+etch4_i386.deb
boinc-manager_5.4.11-4+etch4_i386.deb
  to pool/main/b/boinc/boinc-manager_5.4.11-4+etch4_i386.deb
boinc_5.4.11-4+etch4.diff.gz
  to pool/main/b/boinc/boinc_5.4.11-4+etch4.diff.gz
boinc_5.4.11-4+etch4.dsc
  to pool/main/b/boinc/boinc_5.4.11-4+etch4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511521@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
<rmayorga@debian.org> (supplier of updated boinc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  6 Feb 2009 20:15:22 -0600
Source: boinc
Binary: boinc-manager boinc-dev boinc-client
Architecture: source i386
Version: 5.4.11-4+etch4
Distribution: stable-security
Urgency: high
Maintainer: Debian BOINC Maintainers <pkg-boinc-devel@lists.alioth.debian.org>
Changed-By: <rmayorga@debian.org>
Description: 
 boinc-client - core client for the BOINC distributed computing infrastructure
 boinc-dev  - development files to build applications for BOINC projects
 boinc-manager - GUI to control and monitor the BOINC core client
Closes: 511521
Changes: 
 boinc (5.4.11-4+etch4) stable-security; urgency=high
 .
   * Correction for CVE-2009-0126 misuses the OpenSSL api
     on decrypt_public function in lib/crypt.cpp, Closes: #511521
   * add myslef to uploaders
Files: 
 2d007ac10e6c4033363f8b0978ecfdfa 1174 net optional boinc_5.4.11-4+etch4.dsc
 268c8f6f19d5def378e7d2fbacc2d4eb 5561690 net optional boinc_5.4.11.orig.tar.gz
 8bf8d8b4fd9a7bb3963f1af4b3a6f6e0 42159 net optional boinc_5.4.11-4+etch4.diff.gz
 935dd3f2c5c51d66dd77c698253458af 340560 net optional boinc-client_5.4.11-4+etch4_i386.deb
 7bc3304531f57ac1e667fba68fe16cd0 747016 x11 optional boinc-manager_5.4.11-4+etch4_i386.deb
 be5f9b3f94890248963a8fdbc9471251 402674 devel optional boinc-dev_5.4.11-4+etch4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmOtGQACgkQXm3vHE4uyloFsQCgnfpiBgsxzbreQJNsNdAZ0iMc
9QIAnRnrcw2SXbn5CNM/QQn+0P3kgf1J
=44/P
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.