Bug 19381

Summary: libcryptopp new security issue CVE-2016-7420
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, shlomif, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/702553/
Whiteboard: MGA5-64-OK advisory
Source RPM: libcryptopp-5.6.3-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-09-16 02:55:12 CEST 
A security issue in libcryptopp has been announced today (September 15):
http://www.openwall.com/lists/oss-security/2016/09/15/12

The issue comes from the fact that we (and Fedora) use a downstream patch to build it with autoconf/automake rather than just calling make on the upstream makefile, which causes it to be built with debugging enabled, which has multiple undesirable consequences.

Rebuilt packages with corrected build flags uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libcryptopp packages fix security vulnerability:

The libcryptopp package was built with debugging enabled, which could cause a
crash due to assertions being turned on and could also cause core files to be
generated containing sensitive information (CVE-2016-7420).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3995
http://www.openwall.com/lists/oss-security/2016/09/15/12
========================

Updated packages in core/updates_testing:
========================
libcryptopp6-5.6.3-1.2.mga5
libcryptopp-devel-5.6.3-1.2.mga5
libcryptopp-progs-5.6.3-1.2.mga5

from libcryptopp-5.6.3-1.2.mga5.src.rpm
Comment 1 David Walser 2016-09-19 18:45:34 CEST 
So, I added -DNDEBUG to the compiler flags, but now this post is suggesting some additional steps to fix this issue:
http://openwall.com/lists/oss-security/2016/09/19/6

Shlomi, do you think anything additional is necessary here?

CC: (none) => shlomif

Comment 2 Shlomi Fish 2016-09-19 19:09:50 CEST 
(In reply to David Walser from comment #1)
> So, I added -DNDEBUG to the compiler flags, but now this post is suggesting
> some additional steps to fix this issue:
> http://openwall.com/lists/oss-security/2016/09/19/6
> 
> Shlomi, do you think anything additional is necessary here?

We may need to replace the assert()s mentioned in the post with the right UNUSED() stuff. I'm not sure about it, but it should not hurt.
Comment 3 David Walser 2016-09-19 19:12:47 CEST 
OK.  I was under the impression that the NDEBUG would disable the asserts, but you're right that replacing them completely should not hurt.
Comment 4 Lewis Smith 2016-09-25 11:26:55 CEST 
Re Comments1-3, do we expect a new build? If so, could this be 'feedback'd? Just to avoid premature testing.

CC: (none) => lewyssmith

Comment 5 David Walser 2016-09-25 17:24:27 CEST 
I don't know if there's a way to tell that debugging is enabled in testing, but basic functionality can be tested.  I'll leave it up to Shlomi as to whether to make any additional changes to this package.  I think the change I made should be effective.
Comment 6 Lewis Smith 2016-09-28 10:42:36 CEST 
Testing M5-64 real hardware.

BEFORE update:
 lib64cryptopp6-5.6.3-1.1.mga5
 libcryptopp-progs-5.6.3-1.1.mga5
https://bugs.mageia.org/show_bug.cgi?id=18184#c10 gives the clue to testing this:-
 $ cryptest
alone gives lots of usage, of which
 $ cryptest v            [note NO -]
produces a massive amount of self-test output. This has to be scanned carefully for numerous 'passed' and no 'Failed'.
As noted in the earlier bug, the last line of O/P is
"CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading"
which suggests perhaps a missing test file.

AFTER update:
 lib64cryptopp6-5.6.3-1.2.mga5
 libcryptopp-progs-5.6.3-1.2.mga5
Same successful output to previously, with the same final error line.

Am OK'ing this, but confirmation with say Kodi would be nice.

Whiteboard: (none) => MGA5-64-OK

Comment 7 Dave Hodgins 2016-10-04 13:37:32 CEST 
Kodi works with the update

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2016-10-04 14:21:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0333.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-10-04 18:43:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/702553/