trousers: CVE-2012-0698

Debian Bug report logs - #692649
trousers: CVE-2012-0698

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: trousers: CVE-2012-0698

Date: Thu, 08 Nov 2012 08:03:35 +0100

Package: trousers
Severity: grave
Tags: security
Justification: user security hole

Please see here for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698

Cheers,
        Moritz

Message #12 received at 692649@bugs.debian.org (full text, mbox, reply):

From: Pierre Chifflier <pollux@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 692649@bugs.debian.org

Subject: Re: Bug#692649: trousers: CVE-2012-0698

Date: Thu, 8 Nov 2012 22:40:19 +0100

[Message part 1 (text/plain, inline)]

On Thu, Nov 08, 2012 at 08:03:35AM +0100, Moritz Muehlenhoff wrote:
> Package: trousers
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see here for details:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698
> 
> Cheers,
>         Moritz
> 

Hi Moritz,

I have tested with the python script referenced in the sourceforge
ticket [1], and testing/unstable version is not affected.

Version in squeeze seems affected, so I have prepared an upload with the
fix from upstream [2]. I am attaching the diff to this email, can you
confirm me if it is fine, and if I can upload it ?

Regards,
Pierre


[1] http://sourceforge.net/tracker/index.php?func=detail&aid=3473554&group_id=126012&atid=704358
[2] http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786

[diff_trousers_0.3.5-2+squeeze1.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 692649@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Pierre Chifflier <pollux@debian.org>

Cc: team@security.debian.org, 692649@bugs.debian.org

Subject: Re: [Fwd: Bug#692649: trousers: CVE-2012-0698]

Date: Sat, 17 Nov 2012 15:00:04 +0100

[Message part 1 (text/plain, inline)]

On sam., 2012-11-17 at 11:30 +0100, Pierre Chifflier wrote:
> Hi Security Team,
> 
> I'm forwarding this email to ask for review on the correction for
> CVE-2012-0698 in stable (other versions are not affected).
> 
Hey,

is the fixed package robust against the python script and did you test
if it didn't break anything?

 This comment (https://bugzilla.redhat.com/show_bug.cgi?id=781648#c12)
from the redhat bug is a bit concerning, although I'm not sure to what
it's referring too.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 692649@bugs.debian.org (full text, mbox, reply):

From: Pierre Chifflier <pollux@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, 692649@bugs.debian.org

Subject: Re: Bug#692649: [Fwd: Bug#692649: trousers: CVE-2012-0698]

Date: Sun, 18 Nov 2012 15:34:42 +0100

[Message part 1 (text/plain, inline)]

On Sat, Nov 17, 2012 at 03:00:04PM +0100, Yves-Alexis Perez wrote:
> On sam., 2012-11-17 at 11:30 +0100, Pierre Chifflier wrote:
> > Hi Security Team,
> > 
> > I'm forwarding this email to ask for review on the correction for
> > CVE-2012-0698 in stable (other versions are not affected).
> > 
> Hey,
> 
> is the fixed package robust against the python script and did you test
> if it didn't break anything?

Hi,

I've basically tested the package (running tpm_info), so far it seems
ok.
The server does not crash anymore on the python script.

> 
>  This comment (https://bugzilla.redhat.com/show_bug.cgi?id=781648#c12)
> from the redhat bug is a bit concerning, although I'm not sure to what
> it's referring too.
> 

That is the upstream fix I have included. I think the comments is
related to the fact that, while it does fix the crash from the python
script, there may be concerns from other possible functions affected by
the same problem. None seems to have happened since this fix, so I think
it's ok to include it in stable, and testing/sid have newer versions.

Regards,
Pierre

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 692649@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Pierre Chifflier <pollux@debian.org>

Cc: 692649@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#692649: [Fwd: Bug#692649: trousers: CVE-2012-0698]

Date: Mon, 19 Nov 2012 21:40:51 +0100

[Message part 1 (text/plain, inline)]

[please keep the team on CC:]

On lun., 2012-11-19 at 21:35 +0100, Pierre Chifflier wrote:
> On Sat, Nov 17, 2012 at 03:00:04PM +0100, Yves-Alexis Perez wrote:
> > On sam., 2012-11-17 at 11:30 +0100, Pierre Chifflier wrote:
> > > Hi Security Team,
> > > 
> > > I'm forwarding this email to ask for review on the correction for
> > > CVE-2012-0698 in stable (other versions are not affected).
> > > 
> > Hey,
> > 
> > is the fixed package robust against the python script and did you test
> > if it didn't break anything?
> 
> Hi,
> 
> I've basically tested the package (running tpm_info), so far it seems
> ok.
> The server does not crash anymore on the python script.

It'd have been nice to have a bit more assurance on the non-regression
part, but eh :)
> 

Please upload to security-master (don't forget to build with -sa and in
a clean squeeze chroot). I'll write a DSA and release after that.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 692649-close@bugs.debian.org (full text, mbox, reply):

From: Pierre Chifflier <pollux@debian.org>

To: 692649-close@bugs.debian.org

Subject: Bug#692649: fixed in trousers 0.3.5-2+squeeze1

Date: Tue, 27 Nov 2012 21:47:05 +0000

Source: trousers
Source-Version: 0.3.5-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
trousers, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier <pollux@debian.org> (supplier of updated trousers package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Nov 2012 22:08:58 +0100
Source: trousers
Binary: trousers trousers-dbg libtspi1 libtspi-dev
Architecture: source amd64
Version: 0.3.5-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Pierre Chifflier <pollux@debian.org>
Description: 
 libtspi-dev - open-source TCG Software Stack (development)
 libtspi1   - open-source TCG Software Stack (library)
 trousers   - open-source TCG Software Stack (daemon)
 trousers-dbg - open-source TCG Software Stack (debug)
Closes: 692649
Changes: 
 trousers (0.3.5-2+squeeze1) stable-security; urgency=high
 .
   * Fix crash when malformed packet is received (CVE-2012-0698)
     Closes: #692649
Checksums-Sha1: 
 fcfedfd2a6a114505836da7deb5e82eb55db4fac 1803 trousers_0.3.5-2+squeeze1.dsc
 8fee28572c4bc88f6e2bcd30a65b0788f93262c2 1335262 trousers_0.3.5.orig.tar.gz
 09197c5194b42421ac393c3fd5894d3b2811d007 21421 trousers_0.3.5-2+squeeze1.debian.tar.gz
 fc80a424e3c20c2c37f2df16ff7e9a38137a94b7 150482 trousers_0.3.5-2+squeeze1_amd64.deb
 8a2579f6ddbd9b4674253e1d41cd1c1becd3efa2 581460 trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 b972bffa945b04842146f818866b7137049cd0c8 202954 libtspi1_0.3.5-2+squeeze1_amd64.deb
 3154881cda28495f680aeff8fbb5c9aa94dea8c3 660636 libtspi-dev_0.3.5-2+squeeze1_amd64.deb
Checksums-Sha256: 
 0c611f353db1b01ba6ea5726fae1b49d92dff5f86c4d9e3c6d46dd967d77bfc9 1803 trousers_0.3.5-2+squeeze1.dsc
 9145db73d7080e86f1a990db4735715ea5f1eae4d47a1d43f775747a7ca580ad 1335262 trousers_0.3.5.orig.tar.gz
 ec4829987a4986ca7cb7da21e39255c90554ca439ab297d3fe257575809c0337 21421 trousers_0.3.5-2+squeeze1.debian.tar.gz
 da30f05dee460f7d4653a7f14fb56f0f8ff2102d0ff143fb32e4c98cf8a007ce 150482 trousers_0.3.5-2+squeeze1_amd64.deb
 e2d964f9634838f5555458a692cde31a68d29a40528fc8eb46612ac790935930 581460 trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 49b57a588a5501b2a4381fd69efb3387f218a4323f515e1663b1c62ce3ca8f94 202954 libtspi1_0.3.5-2+squeeze1_amd64.deb
 ca0b527a4272be8c9220634049e3f9a1cc17c810c88f7bccb7dbbd645406ecb7 660636 libtspi-dev_0.3.5-2+squeeze1_amd64.deb
Files: 
 079c130d72c78e77ad91c0724b6677a6 1803 admin optional trousers_0.3.5-2+squeeze1.dsc
 8655de35a98d2f2bde210d605fa60918 1335262 admin optional trousers_0.3.5.orig.tar.gz
 26fa3c6f5154b6462e4518d33f04f75e 21421 admin optional trousers_0.3.5-2+squeeze1.debian.tar.gz
 577efbb75d27707f54f932ef7a4c82c9 150482 admin optional trousers_0.3.5-2+squeeze1_amd64.deb
 abf01ff3659acbe4e0e8c362da95640e 581460 debug extra trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 ba5aa0983d70bcf2af9f43dab62d02e4 202954 libs optional libtspi1_0.3.5-2+squeeze1_amd64.deb
 dc756b907e2b1547cf64977a9cd96557 660636 libdevel optional libtspi-dev_0.3.5-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQrp5SAAoJEMYaZNzxOTmY5ykP/0lrqNfsAg0bh4hto5MKGEHm
iIkgvErNUPs4fTm9IDHMny0fTPWGOwxIbr64LrvSdYk3t48peMaf6lKbrzjsxY9T
ofq2k+HCFp6Y455vN9cbUujis9gJwJrZ5+k3TlQFttVliV2laPQ5gnWam6cWTmoH
wSK95CKCZbgtCSbJda4/ehN1KaU4nPLw6mXgjvjOkl2bFgELYeFuWUeo358+zPQP
zRhGH0iYpHJT46DKyscNtJqE2xJUDNm5chxslhe/aFO3VkwaGDi74LbG9dCoGt9p
tn/uE3II2zoqmTjPvPh7pOV0KHQMsGI1+59eAYQoLFuOXkv25F+KtgnOl8kheNUn
CMnBbnh4P+tKHcazAD30rliXuY8mKZ/G25sS2tbRl8b+X9geJbOdmA0ig8zJBRtn
5OkzFZgkocsov7Pq6FEXrtOfuQ2IPJzveZhKc4uP9yXU9hwMpk1cbb3jEAOu/8FZ
a26qTTssIoSDti/YME/FkyIAMclpX3jcnpf0KttyV8cB+IFLG0uxen9NTbTT4GZQ
JYun3LmRVJ8gmyM2FAOh45D8E6HgpUdglPfhb4dq8n6FiAqwatN4CkD/ogFJ9XGQ
jDYUf7GbbjrMyQzKes+g9UwJI2Y67lcoFGKVuwV3uCUVObDRALrcz2WZ2Vneu2L9
MIV8FgbXKr5VzcrpG1u1
=JXyO
-----END PGP SIGNATURE-----

Message #39 received at 692649@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Pierre Chifflier <pollux@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 692649@bugs.debian.org, jmw@debian.org

Subject: Re: Bug#692649: trousers: CVE-2012-0698

Date: Thu, 27 Dec 2012 21:11:20 +0100

On Thu, Nov 08, 2012 at 10:40:19PM +0100, Pierre Chifflier wrote:
> On Thu, Nov 08, 2012 at 08:03:35AM +0100, Moritz Muehlenhoff wrote:
> > Package: trousers
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Please see here for details:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698
> > 
> > Cheers,
> >         Moritz
> > 
> 
> Hi Moritz,
> 
> I have tested with the python script referenced in the sourceforge
> ticket [1], and testing/unstable version is not affected.
> 
> Version in squeeze seems affected, so I have prepared an upload with the
> fix from upstream [2]. I am attaching the diff to this email, can you
> confirm me if it is fine, and if I can upload it ?

Sorry for the late reply. This seems to have fallen through the cracks
and I'm currently catching up with old mail.

I think this doesn't warrant a DSA, but could you fix this through
a stable point update?
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

(Adding Jonathan, the stable point update security coordinator to CC)

Cheers,
        Moritz

Message #44 received at 692649@bugs.debian.org (full text, mbox, reply):

From: Pierre Chifflier <pollux@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 692649@bugs.debian.org

Subject: Re: Bug#692649: trousers: CVE-2012-0698

Date: Fri, 28 Dec 2012 17:03:25 +0100

> 
> Sorry for the late reply. This seems to have fallen through the cracks
> and I'm currently catching up with old mail.
> 
> I think this doesn't warrant a DSA, but could you fix this through
> a stable point update?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> 
> (Adding Jonathan, the stable point update security coordinator to CC)
> 

Hi Moritz,

This CVE (CVE-2012-0698) has already been closed by an upload on
November 27th, acked by Yves-Alexis Perez (see [1] for history), so
trousers is now fixed for all versions in Debian.

Cheers,
Pierre

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692649

Message #49 received at 692649@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Pierre Chifflier <pollux@debian.org>

Cc: 692649@bugs.debian.org

Subject: Re: Bug#692649: trousers: CVE-2012-0698

Date: Fri, 28 Dec 2012 19:36:39 +0100

On Fri, Dec 28, 2012 at 05:03:25PM +0100, Pierre Chifflier wrote:
> > 
> > Sorry for the late reply. This seems to have fallen through the cracks
> > and I'm currently catching up with old mail.
> > 
> > I think this doesn't warrant a DSA, but could you fix this through
> > a stable point update?
> > http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> > 
> > (Adding Jonathan, the stable point update security coordinator to CC)
> > 
> 
> Hi Moritz,
> 
> This CVE (CVE-2012-0698) has already been closed by an upload on
> November 27th, acked by Yves-Alexis Perez (see [1] for history), so
> trousers is now fixed for all versions in Debian.

Indeed, it's fixed, but the tracker data was wrong. Now corrected.
 
Cheers,
        Moritz

Send a report that this bug log contains spam.