Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
I hereby propose an update for stable/stretch of tlslite-ng. It contains a patch fixing CVE-2018-1000159 [1]. The security issue was marked as being no-dsa [2]. Please see the attached debdiff for details. Thanks, Daniel Stender [1] https://bugs.debian.org/895728 [2] https://security-tracker.debian.org/tracker/CVE-2018-1000159 -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru tlslite-ng-0.6.0/debian/changelog tlslite-ng-0.6.0/debian/changelog --- tlslite-ng-0.6.0/debian/changelog 2016-11-16 16:32:34.000000000 +0100 +++ tlslite-ng-0.6.0/debian/changelog 2018-04-15 20:53:39.000000000 +0200 @@ -1,3 +1,10 @@ +tlslite-ng (0.6.0-1+deb9u1) stable; urgency=medium + + * add verify-mac-even-if-the-padding-is-1-byte-long.patch, + providing fix for CVE-2018-1000159 (Closes: #895728). + + -- Daniel Stender <sten...@debian.org> Sun, 15 Apr 2018 20:53:39 +0200 + tlslite-ng (0.6.0-1) unstable; urgency=medium * New upstream release: diff -Nru tlslite-ng-0.6.0/debian/patches/series tlslite-ng-0.6.0/debian/patches/series --- tlslite-ng-0.6.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ tlslite-ng-0.6.0/debian/patches/series 2018-04-15 20:53:37.000000000 +0200 @@ -0,0 +1 @@ +verify-mac-even-if-the-padding-is-1-byte-long.patch diff -Nru tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch --- tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch 1970-01-01 01:00:00.000000000 +0100 +++ tlslite-ng-0.6.0/debian/patches/verify-mac-even-if-the-padding-is-1-byte-long.patch 2018-04-15 20:45:32.000000000 +0200 @@ -0,0 +1,67 @@ +From 3674815d1b0f7484454995e2737a352e0a6a93d8 Mon Sep 17 00:00:00 2001 +From: Hubert Kario <hka...@redhat.com> +Date: Tue, 27 Mar 2018 15:26:18 +0200 +Subject: [PATCH] verify the mac even if the padding is 1 byte long + +off-by-one error on mac checking, if the padding is of +minimal length (a single 0x00 byte), the mac is not +checked and thus the return value is never falsified + +this fixes the issue +--- + tlslite/utils/constanttime.py | 2 +- + unit_tests/test_tlslite_utils_constanttime.py | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/tlslite/utils/constanttime.py b/tlslite/utils/constanttime.py +index 60322c14..d4f5b1ce 100644 +--- a/tlslite/utils/constanttime.py ++++ b/tlslite/utils/constanttime.py +@@ -170,7 +170,7 @@ def ct_check_cbc_mac_and_pad(data, mac, seqnumBytes, contentType, version): + data_mac.update(compatHMAC(data[:start_pos])) + + # don't check past the array end (already checked to be >= zero) +- end_pos = data_len - 1 - mac.digest_size ++ end_pos = data_len - mac.digest_size + + # calculate all possible + for i in range(start_pos, end_pos): # constant for given overall length +diff --git a/unit_tests/test_tlslite_utils_constanttime.py b/unit_tests/test_tlslite_utils_constanttime.py +index 0edaf3f4..0a6446d0 100644 +--- a/unit_tests/test_tlslite_utils_constanttime.py ++++ b/unit_tests/test_tlslite_utils_constanttime.py +@@ -16,6 +16,7 @@ + from hypothesis import given, example + import hypothesis.strategies as st + from tlslite.utils.compat import compatHMAC ++from tlslite.utils.cryptomath import getRandomBytes + from tlslite.recordlayer import RecordLayer + import tlslite.utils.tlshashlib as hashlib + import hmac +@@ -266,6 +267,26 @@ def test_with_invalid_hash(self): + self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes, + content_type, version)) + ++ @given(i=st.integers(1, 20)) ++ def test_with_invalid_random_hash(self, i): ++ key = compatHMAC(getRandomBytes(20)) ++ seqnum_bytes = bytearray(16) ++ content_type = 0x15 ++ version = (3, 3) ++ application_data = getRandomBytes(63) ++ mac = hashlib.sha1 ++ ++ data = self.data_prepare(application_data, seqnum_bytes, content_type, ++ version, mac, key) ++ data[-i] ^= 0xff ++ padding = bytearray(b'\x00') ++ data += padding ++ ++ h = hmac.new(key, digestmod=mac) ++ h.block_size = mac().block_size ++ self.assertFalse(ct_check_cbc_mac_and_pad(data, h, seqnum_bytes, ++ content_type, version)) ++ + def test_with_invalid_pad(self): + key = compatHMAC(bytearray(20)) + seqnum_bytes = bytearray(16)
