Re: golang-go.crypto / CVE-2019-11841

2020-10-04 Thread Brian May 
Attached is my patch for golang-go.crypto which I intend to upload
tomorrow for:

* CVE-2019-11840
* CVE-2019-11841

I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can
cause a panic - however I feel this is not really a security issue.
-- 
Brian May 
diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog
--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog	2017-04-26 17:42:23.0 +1000
+++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/changelog	2020-09-07 08:29:03.0 +1000
@@ -1,3 +1,11 @@
+golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Fix CVE-2019-11841: reject potentially misleading headers and messages.
+  * Fix CVE-2019-11840: fix keystream loop in amd64 assembly when overflowing 32-bit counter.
+
+ -- Brian May   Mon, 07 Sep 2020 08:29:03 +1000
+
 golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium
 
   * Reverts previous upload to permit freeze exception.
diff -Nru golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch
--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch	1970-01-01 10:00:00.0 +1000
+++ golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/debian/patches/CVE-2019-11840.patch	2020-09-07 08:29:03.0 +1000
@@ -0,0 +1,1922 @@
+commit b7391e95e576cacdcdd422573063bc057239113d
+Author: Filippo Valsorda 
+Date:   Tue Mar 19 18:29:04 2019 -0400
+
+salsa20/salsa: fix keystream loop in amd64 assembly when overflowing 32-bit counter
+
+Fixes golang/go#30965
+
+Change-Id: I83a804d555c048e0124c35f95c9e611b2c5bdb01
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/436856
+Reviewed-by: Adam Langley 
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/168406
+Reviewed-by: Filippo Valsorda 
+Run-TryBot: Filippo Valsorda 
+TryBot-Result: Gobot Gobot 
+
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go
+===
+--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa20_amd64.go
 golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa20_amd64.go
+@@ -6,10 +6,9 @@
+ 
+ package salsa
+ 
+-// This function is implemented in salsa2020_amd64.s.
+-
+ //go:noescape
+ 
++// salsa2020XORKeyStream is implemented in salsa20_amd64.s.
+ func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte)
+ 
+ // XORKeyStream crypts bytes from in to out using the given key and counters.
+Index: golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782/salsa20/salsa/salsa2020_amd64.s
+===
+--- golang-go.crypto-0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig/salsa20/salsa/salsa2020_amd64.s
 /dev/null
+@@ -1,902 +0,0 @@
+-// Copyright 2012 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-// +build amd64,!appengine,!gccgo
+-
+-// This code was translated into a form compatible with 6a from the public
+-// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
+-
+-// func salsa2020XORKeyStream(out, in *byte, n uint64, nonce, key *byte)
+-TEXT ·salsa2020XORKeyStream(SB),0,$512-40
+-	MOVQ out+0(FP),DI
+-	MOVQ in+8(FP),SI
+-	MOVQ n+16(FP),DX
+-	MOVQ nonce+24(FP),CX
+-	MOVQ key+32(FP),R8
+-
+-	MOVQ SP,R11
+-	MOVQ $31,R9
+-	NOTQ R9
+-	ANDQ R9,SP
+-	ADDQ $32,SP
+-
+-	MOVQ R11,352(SP)
+-	MOVQ R12,360(SP)
+-	MOVQ R13,368(SP)
+-	MOVQ R14,376(SP)
+-	MOVQ R15,384(SP)
+-	MOVQ BX,392(SP)
+-	MOVQ BP,400(SP)
+-	MOVQ DX,R9
+-	MOVQ CX,DX
+-	MOVQ R8,R10
+-	CMPQ R9,$0
+-	JBE DONE
+-	START:
+-	MOVL 20(R10),CX
+-	MOVL 0(R10),R8
+-	MOVL 0(DX),AX
+-	MOVL 16(R10),R11
+-	MOVL CX,0(SP)
+-	MOVL R8, 4 (SP)
+-	MOVL AX, 8 (SP)
+-	MOVL R11, 12 (SP)
+-	MOVL 8(DX),CX
+-	MOVL 24(R10),R8
+-	MOVL 4(R10),AX
+-	MOVL 4(DX),R11
+-	MOVL CX,16(SP)
+-	MOVL R8, 20 (SP)
+-	MOVL AX, 24 (SP)
+-	MOVL R11, 28 (SP)
+-	MOVL 12(DX),CX
+-	MOVL 12(R10),DX
+-	MOVL 28(R10),R8
+-	MOVL 8(R10),AX
+-	MOVL DX,32(SP)
+-	MOVL CX, 36 (SP)
+-	MOVL R8, 40 (SP)
+-	MOVL AX, 44 (SP)
+-	MOVQ $1634760805,DX
+-	MOVQ $857760878,CX
+-	MOVQ $2036477234,R8
+-	MOVQ $1797285236,AX
+-	MOVL DX,48(SP)

Re: golang-go.crypto / CVE-2019-11841

2020-10-04 Thread Utkarsh Gupta 
Hi Brian,

Thanks for your work!

On Mon, Oct 5, 2020 at 3:03 AM Brian May  wrote:
> I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can
> cause a panic - however I feel this is not really a security issue.

But still, in case you can include a fix for this in this upload,
that'd be great!


- u

Re: golang-go.crypto / CVE-2019-11841

2020-10-04 Thread Brian May 
Utkarsh Gupta  writes:

> On Mon, Oct 5, 2020 at 3:03 AM Brian May  wrote:
>> I also had a look at CVE-2020-9283 (no DSA) - an invalid public key can
>> cause a panic - however I feel this is not really a security issue.
>
> But still, in case you can include a fix for this in this upload,
> that'd be great!

I wasn't sure it was going to be worth it?

$ patch --dry-run -p1  < ../CVE-2020-9283.patch
checking file ssh/keys.go
Hunk #1 succeeded at 494 with fuzz 1 (offset -68 lines).
Hunk #2 FAILED at 584.
Hunk #3 FAILED at 840.
Hunk #4 succeeded at 807 with fuzz 2 (offset -57 lines).
Hunk #5 FAILED at 903.
Hunk #6 FAILED at 1056.
Hunk #7 FAILED at 1309.
5 out of 7 hunks FAILED

Looking at this again, it looks like it should be trivial to apply #2,
#5, and #6 manually. Not sure why these didn't apply automatically.
Which just leaves #3 - may not be required - and #7 - which only patches
a comment.
-- 
Brian May

Re: golang-go.crypto / CVE-2019-11841

2020-10-04 Thread Utkarsh Gupta 
Hi Brian,

On Mon, Oct 5, 2020 at 3:35 AM Brian May  wrote:
> I wasn't sure it was going to be worth it?

Maybe not for an independent DLA but we could always piggyback them
along with the ones that do.
(at least that's my opinion!)

> $ patch --dry-run -p1  < ../CVE-2020-9283.patch
> checking file ssh/keys.go
> Hunk #1 succeeded at 494 with fuzz 1 (offset -68 lines).
> Hunk #2 FAILED at 584.
> Hunk #3 FAILED at 840.
> Hunk #4 succeeded at 807 with fuzz 2 (offset -57 lines).
> Hunk #5 FAILED at 903.
> Hunk #6 FAILED at 1056.
> Hunk #7 FAILED at 1309.
> 5 out of 7 hunks FAILED
>
> Looking at this again, it looks like it should be trivial to apply #2,
> #5, and #6 manually. Not sure why these didn't apply automatically.
> Which just leaves #3 - may not be required - and #7 - which only patches
> a comment.

Ah, great. It'd nice to include this then! :)


- u