A security issue in libcryptopp has been announced today (September 15): http://www.openwall.com/lists/oss-security/2016/09/15/12 The issue comes from the fact that we (and Fedora) use a downstream patch to build it with autoconf/automake rather than just calling make on the upstream makefile, which causes it to be built with debugging enabled, which has multiple undesirable consequences. Rebuilt packages with corrected build flags uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libcryptopp packages fix security vulnerability: The libcryptopp package was built with debugging enabled, which could cause a crash due to assertions being turned on and could also cause core files to be generated containing sensitive information (CVE-2016-7420). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3995 http://www.openwall.com/lists/oss-security/2016/09/15/12 ======================== Updated packages in core/updates_testing: ======================== libcryptopp6-5.6.3-1.2.mga5 libcryptopp-devel-5.6.3-1.2.mga5 libcryptopp-progs-5.6.3-1.2.mga5 from libcryptopp-5.6.3-1.2.mga5.src.rpm
So, I added -DNDEBUG to the compiler flags, but now this post is suggesting some additional steps to fix this issue: http://openwall.com/lists/oss-security/2016/09/19/6 Shlomi, do you think anything additional is necessary here?
CC: (none) => shlomif
(In reply to David Walser from comment #1) > So, I added -DNDEBUG to the compiler flags, but now this post is suggesting > some additional steps to fix this issue: > http://openwall.com/lists/oss-security/2016/09/19/6 > > Shlomi, do you think anything additional is necessary here? We may need to replace the assert()s mentioned in the post with the right UNUSED() stuff. I'm not sure about it, but it should not hurt.
OK. I was under the impression that the NDEBUG would disable the asserts, but you're right that replacing them completely should not hurt.
Re Comments1-3, do we expect a new build? If so, could this be 'feedback'd? Just to avoid premature testing.
CC: (none) => lewyssmith
I don't know if there's a way to tell that debugging is enabled in testing, but basic functionality can be tested. I'll leave it up to Shlomi as to whether to make any additional changes to this package. I think the change I made should be effective.
Testing M5-64 real hardware. BEFORE update: lib64cryptopp6-5.6.3-1.1.mga5 libcryptopp-progs-5.6.3-1.1.mga5 https://bugs.mageia.org/show_bug.cgi?id=18184#c10 gives the clue to testing this:- $ cryptest alone gives lots of usage, of which $ cryptest v [note NO -] produces a massive amount of self-test output. This has to be scanned carefully for numerous 'passed' and no 'Failed'. As noted in the earlier bug, the last line of O/P is "CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading" which suggests perhaps a missing test file. AFTER update: lib64cryptopp6-5.6.3-1.2.mga5 libcryptopp-progs-5.6.3-1.2.mga5 Same successful output to previously, with the same final error line. Am OK'ing this, but confirmation with say Kodi would be nice.
Whiteboard: (none) => MGA5-64-OK
Kodi works with the update
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0333.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/702553/