Bug 29057

Summary: botan2 new security issue CVE-2021-24115
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: botan2-2.9.0-2.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2021-05-30 23:49:57 CEST 
openSUSE has issued an advisory on May 22:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/66VDUR6MFH345POI2NK4EL4N3NCJVT5O/

The issue is fixed upstream in 2.17.3.
David Walser 2021-05-30 23:50:11 CEST

CC: (none) => geiger.david68210
Status comment: (none) => Patch available from openSUSE

Comment 1 Lewis Smith 2021-06-02 21:41:25 CEST 
Cauldron has not just 2.17.3, but 2.18.0 & 1. All done by Stig, so assigning this bug to you.

Assignee: bugsquad => smelror

Comment 2 David Walser 2021-06-27 23:18:47 CEST 
Advisory:
========================

Updated botan2 packages fix security vulnerability:

In Botan before 2.17.3, constant-time computations are not used for certain
decoding and encoding operations (base32, base58, base64, and hex)
(CVE-2021-24115).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24115
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/66VDUR6MFH345POI2NK4EL4N3NCJVT5O/
========================

Updated packages in core/updates_testing:
========================
botan2-2.9.0-2.2.mga7
libbotan2-devel-2.9.0-2.2.mga7
libbotan2_9-2.9.0-2.2.mga7
botan2-doc-2.9.0-2.2.mga7
python3-botan2-2.9.0-2.2.mga7

from botan2-2.9.0-2.2.mga7.src.rpm

Assignee: smelror => qa-bugs
Status comment: Patch available from openSUSE => (none)

Comment 3 Herman Viaene 2021-07-09 10:32:19 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Test along bug 26955 Comment 6 (irreplaceable Claire)
$ botan --help
Usage: botan <cmd> <cmd-options>
All commands support --verbose --help --output= --error-output= --rng-type= --drbg-seed=

Available commands:

Encoders/Decoders:
   asn1print          Decode and print file with ASN.1 Basic Encoding Rules (BER)
and a lot more ....

$ echo "Test File" > testbotan.txt
$ botan base64_enc testbotan.txt > testbotancrypt.txt
]$ cat testbotancrypt.txt
VGVzdCBGaWxlCg==
$  botan base64_dec testbotancrypt.txt
Test File
$ python3
Python 3.7.10 (default, Apr  8 2021, 17:12:00) 
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import botan2
>>> tester = botan2.RandomNumberGenerator()
>>> tested = tester.get(10)
>>> print ("Random number is {}".format(tested))
Random number is b'\xab\x8d\xb7+a\xee\xad\x9cN\x1f'
>>> quit()
Checked botan2-doc with..
$ lynx /usr/share/doc/botan-2.9.0/manual/index.html
Looks OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-07-09 16:06:03 CEST 
Thank you again, Herman. And thank YOU, Claire. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-07-10 13:15:05 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-07-10 14:58:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0329.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED