Bug#1065268: bullseye-pu: package phpseclib/1.0.19-3+deb11u2

Sat, 02 Mar 2024 02:27:36 -0800 

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: phpsec...@packages.debian.org, t...@security.debian.org
Control: affects -1 + src:phpseclib
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

This issue is simalar to #1065264 for bookworm

I’d like to see CVE-2024-27354 and CVE-2024-27355 addressed in the next
point release. We agreed with the security team that these issues are
not worth a DSA. This update also fixes an issue in dependency loading
similar to CVE-2024-24821 as fixed in composer/DSA-5632-1.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in oldstable
  [x] the issue is verified as fixed in unstable

TIA for considering.

Cheers,

taffit

diff -Nru phpseclib-1.0.19/debian/autoload.php.tpl phpseclib-1.0.19/debian/autoload.php.tpl
--- phpseclib-1.0.19/debian/autoload.php.tpl	2023-12-31 15:43:05.000000000 +0100
+++ phpseclib-1.0.19/debian/autoload.php.tpl	2024-02-27 21:27:58.000000000 +0100
@@ -1,7 +1,7 @@
 <?php
 
-require_once 'phpseclib.bootstrap.php';
-require_once 'Crypt/Random.php';
+require_once __DIR__.'/phpseclib.bootstrap.php';
+require_once __DIR__.'/Crypt/Random.php';
 
 // @codingStandardsIgnoreFile
 // @codeCoverageIgnoreStart
diff -Nru phpseclib-1.0.19/debian/changelog phpseclib-1.0.19/debian/changelog
--- phpseclib-1.0.19/debian/changelog	2023-12-31 15:59:59.000000000 +0100
+++ phpseclib-1.0.19/debian/changelog	2024-02-27 21:27:58.000000000 +0100
@@ -1,3 +1,13 @@
+phpseclib (1.0.19-3+deb11u2) bullseye; urgency=medium
+
+  * Backport upstream fixes
+    - BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354]
+    - ASN1: limit OID length [CVE-2024-27355]
+    - BigInteger: fix getLength()
+  * Force system dependencies loading
+
+ -- David Prévot <taf...@debian.org>  Tue, 27 Feb 2024 21:27:58 +0100
+
 phpseclib (1.0.19-3+deb11u1) bullseye-security; urgency=medium
 
   * Track bullseye
diff -Nru phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
--- phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	1970-01-01 01:00:00.000000000 +0100
+++ phpseclib-1.0.19/debian/patches/0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch	2024-02-27 21:27:58.000000000 +0100
@@ -0,0 +1,76 @@
+From: terrafrost <terrafr...@gmail.com>
+Date: Fri, 23 Feb 2024 08:57:22 -0600
+Subject: BigInteger: put guardrails on isPrime() and randomPrime()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354
+---
+ phpseclib/Math/BigInteger.php | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 35df7ad..1dd4729 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -746,6 +746,33 @@ class Math_BigInteger
+         return $result;
+     }
+ 
++    /**
++     * Return the size of a BigInteger in bits
++     *
++     * @return int
++     */
++    function getLength()
++    {
++        if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) {
++            return strlen($this->toBits());
++        }
++
++        $max = count($this->value) - 1;
++        return $max != -1 ?
++            $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++            0;
++    }
++
++    /**
++     * Return the size of a BigInteger in bytes
++     *
++     * @return int
++     */
++    function getLengthInBytes()
++    {
++        return ceil($this->getLength() / 8);
++    }
++
+     /**
+      * Copy an object
+      *
+@@ -3283,6 +3310,11 @@ class Math_BigInteger
+             $min = $temp;
+         }
+ 
++        $length = $max->getLength();
++        if ($length > 8196) {
++            user_error('Generation of random prime numbers larger than 8196 has been disabled');
++        }
++
+         static $one, $two;
+         if (!isset($one)) {
+             $one = new Math_BigInteger(1);
+@@ -3390,7 +3422,14 @@ class Math_BigInteger
+      */
+     function isPrime($t = false)
+     {
+-        $length = strlen($this->toBytes());
++        $length = $this->getLength();
++        // OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is
++        // produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is
++        // a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest
++        // that it'll generate it also stands to reason that that's the largest you'll be able to test primality on
++        if ($length > 8196) {
++            user_error('Primality testing is not supported for numbers larger than 8196 bits');
++        }
+ 
+         if (!$t) {
+             // see HAC 4.49 "Note (controlling the error probability)"
Les fichiers binaires /tmp/q2874tUZtM/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch et /tmp/8dbXhTc93J/phpseclib-1.0.19/debian/patches/0030-ASN1-limit-OID-length.patch sont différents
diff -Nru phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch
--- phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch	1970-01-01 01:00:00.000000000 +0100
+++ phpseclib-1.0.19/debian/patches/0031-BigInteger-fix-getLength.patch	2024-02-27 21:27:58.000000000 +0100
@@ -0,0 +1,31 @@
+From: terrafrost <terrafr...@gmail.com>
+Date: Sat, 24 Feb 2024 14:15:49 -0600
+Subject: BigInteger: fix getLength()
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/c55b75199ec8d12cec6eadf6da99da4a3712fe56
+---
+ phpseclib/Math/BigInteger.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php
+index 1dd4729..6a981ab 100644
+--- a/phpseclib/Math/BigInteger.php
++++ b/phpseclib/Math/BigInteger.php
+@@ -759,7 +759,7 @@ class Math_BigInteger
+ 
+         $max = count($this->value) - 1;
+         return $max != -1 ?
+-            $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) :
++            $max * MATH_BIGINTEGER_BASE + intval(ceil(log($this->value[$max] + 1, 2))) :
+             0;
+     }
+ 
+@@ -770,7 +770,7 @@ class Math_BigInteger
+      */
+     function getLengthInBytes()
+     {
+-        return ceil($this->getLength() / 8);
++        return (int) ceil($this->getLength() / 8);
+     }
+ 
+     /**
diff -Nru phpseclib-1.0.19/debian/patches/series phpseclib-1.0.19/debian/patches/series
--- phpseclib-1.0.19/debian/patches/series	2023-12-31 15:59:59.000000000 +0100
+++ phpseclib-1.0.19/debian/patches/series	2024-02-27 21:27:58.000000000 +0100
@@ -26,3 +26,6 @@
 0026-SSH2-add-support-for-RFC8308.patch
 0027-SSH2-implement-terrapin-attack-countermeasures.patch
 0028-phpcbf-run.patch
+0029-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch
+0030-ASN1-limit-OID-length.patch
+0031-BigInteger-fix-getLength.patch
diff -Nru phpseclib-1.0.19/debian/source/include-binaries phpseclib-1.0.19/debian/source/include-binaries
--- phpseclib-1.0.19/debian/source/include-binaries	1970-01-01 01:00:00.000000000 +0100
+++ phpseclib-1.0.19/debian/source/include-binaries	2024-02-27 21:27:58.000000000 +0100
@@ -0,0 +1 @@
+debian/patches/0030-ASN1-limit-OID-length.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to