Hi,
I've uploaded yubikey-personalization 1.3.2-1squeeze1. It fixes two
security-related bugs, so I'd appreciate if it could be approved for
squeeze, even if they're technically not RC.
Changelog:
yubikey-personalization (1.3.2-1squeeze1) testing-proposed-updates; urgency=high
* Cherry-pick 8dfdff1 from upstream:
Reject -a values with upper case hex as yubikey_hex_decode only
handles lowercase values. This makes invalid input not end up with a
null key.
* Cherry-pick 76769856..0fa7260 from upstream:
Fix bug that prevented salting during AES key generation from
passwords from working. Closes: #608443
-- Tollef Fog Heen <tfh...@debian.org> Wed, 26 Jan 2011 08:15:34 +0100
I've attached the diff from the previous version as well.
Please Cc me on replies, I'm not subscribed to -release.
Best regards,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
diff -u yubikey-personalization-1.3.2/debian/changelog yubikey-personalization-1.3.2/debian/changelog
--- yubikey-personalization-1.3.2/debian/changelog
+++ yubikey-personalization-1.3.2/debian/changelog
@@ -1,3 +1,15 @@
+yubikey-personalization (1.3.2-1squeeze1) testing-proposed-updates; urgency=high
+
+ * Cherry-pick 8dfdff1 from upstream:
+ Reject -a values with upper case hex as yubikey_hex_decode only
+ handles lowercase values. This makes invalid input not end up with a
+ null key.
+ * Cherry-pick 76769856..0fa7260 from upstream:
+ Fix bug that prevented salting during AES key generation from
+ passwords from working. Closes: #608443
+
+ -- Tollef Fog Heen <tfh...@debian.org> Wed, 26 Jan 2011 08:15:34 +0100
+
yubikey-personalization (1.3.2-1) unstable; urgency=low
* New upstream release:
only in patch2:
unchanged:
--- yubikey-personalization-1.3.2.orig/ykpersonalize.c
+++ yubikey-personalization-1.3.2/ykpersonalize.c
@@ -57,9 +57,9 @@
"-cXXX.. A 12 char hex value to use as access code for programming\n"
" (this does NOT SET the access code, that's done with -oaccess=)\n"
"-oOPTION change configuration option. Possible OPTION arguments are:\n"
-" salt=ssssssss Salt to be used for key generation. If\n"
-" none is given, a unique random one will be\n"
-" generated.\n"
+" salt=ssssssss Salt to be used when deriving key from a\n"
+" password. If none is given, a unique random\n"
+" one will be generated.\n"
" fixed=xxxxxxxxxxx The public identity of key, in MODHEX.\n"
" This is 0-16 characters long.\n"
" uid=xxxxxx The uid part of the generated ticket, in HEX.\n"
only in patch2:
unchanged:
--- yubikey-personalization-1.3.2.orig/ykpers.c
+++ yubikey-personalization-1.3.2/ykpers.c
@@ -1,6 +1,6 @@
/* -*- mode:C; c-file-style: "bsd" -*- */
/*
- * Copyright (c) 2008, 2009, Yubico AB
+ * Copyright (c) 2008, 2009, 2010, Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -134,15 +134,9 @@
return 1; /* Bad AES key */
}
-/* Make sure that the hexkey is made up of only [0-9a-f] */
- int i;
- for (i=0; i < strlen(hexkey); i++) {
- char c = tolower(hexkey[i]);
-/* In ASCII, 0-9 == 48-57 and a-f == 97-102 */
- if ( c<48 || (c>57 && c<97) || c>102 ) {
- return 1;
- }
- }
+ /* Make sure that the hexkey is made up of only [0-9a-f] */
+ if (! yubikey_hex_p(hexkey))
+ return 1;
yubikey_hex_decode(aesbin, hexkey, sizeof(aesbin));
memcpy(cfg->ykcore_config.key, aesbin, sizeof(cfg->ykcore_config.key));
@@ -178,8 +172,8 @@
size_t read_bytes = 0;
while (read_bytes < sizeof(_salt)) {
- size_t n = fread(&cfg->ykcore_config.key[read_bytes],
- 1, KEY_SIZE - read_bytes,
+ size_t n = fread(&_salt[read_bytes],
+ 1, sizeof (_salt) - read_bytes,
random_file);
read_bytes += n;
}
