Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package beaker It fixes a security issue ([CVE-2012-3458] #684890). I didn't touch the urgency since we're in freeze and let it to your appreciation. unblock beaker/1.6.3-1.1 Thanks in advance. Regards David -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diffstat for beaker-1.6.3 beaker-1.6.3 changelog | 9 +++++++++ patches/fix_CVE-2012-3458.patch | 36 ++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 46 insertions(+) diff -Nru beaker-1.6.3/debian/changelog beaker-1.6.3/debian/changelog --- beaker-1.6.3/debian/changelog 2012-05-06 16:46:36.000000000 -0400 +++ beaker-1.6.3/debian/changelog 2012-08-24 13:54:40.000000000 -0400 @@ -1,3 +1,12 @@ +beaker (1.6.3-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix security issue, with PyCrypto not securing data such that an attacker + could possibly determine parts of the encrypted payload. Patch by Miloslav + Trmac of Redhat. [CVE-2012-3458] Closes: #684890 + + -- David Prévot <taf...@debian.org> Fri, 24 Aug 2012 13:54:13 -0400 + beaker (1.6.3-1) unstable; urgency=low [ Andrey Rahmatullin ] diff -Nru beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch --- beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 1969-12-31 20:00:00.000000000 -0400 +++ beaker-1.6.3/debian/patches/fix_CVE-2012-3458.patch 2012-08-24 14:04:48.000000000 -0400 @@ -0,0 +1,36 @@ +From: Ben Bangert <b...@groovie.org> +Subject : Fix security issue CVE-2012-3458 + + Fix security issue, with PyCrypto not securing data such that an attacker + could possibly determine parts of the encrypted payload. Patch by Miloslav + Trmac of Redhat. [CVE-2012-3458] + +Origin: upstream, https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5 +Bug-Debian: http://bugs.debian.org/684890 + +--- beaker-1.6.3.orig/beaker/crypto/pycrypto.py ++++ beaker-1.6.3/beaker/crypto/pycrypto.py +@@ -15,17 +15,18 @@ try: + + except ImportError: + from Crypto.Cipher import AES ++ from Crypto.Util import Counter + + def aesEncrypt(data, key): +- cipher = AES.new(key) ++ cipher = AES.new(key, AES.MODE_CTR, ++ counter=Counter.new(128, initial_value=0)) + +- data = data + (" " * (16 - (len(data) % 16))) + return cipher.encrypt(data) + + def aesDecrypt(data, key): +- cipher = AES.new(key) +- +- return cipher.decrypt(data).rstrip() ++ cipher = AES.new(key, AES.MODE_CTR, ++ counter=Counter.new(128, initial_value=0)) ++ return cipher.decrypt(data) + + def getKeyLength(): + return 32 diff -Nru beaker-1.6.3/debian/patches/series beaker-1.6.3/debian/patches/series --- beaker-1.6.3/debian/patches/series 1969-12-31 20:00:00.000000000 -0400 +++ beaker-1.6.3/debian/patches/series 2012-08-24 13:59:45.000000000 -0400 @@ -0,0 +1 @@ +fix_CVE-2012-3458.patch
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
