Bug 20014 - botan new security issue CVE-2016-9132
Summary: botan new security issue CVE-2016-9132
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/710084/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on: 21528
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-23 17:40 CET by David Walser
Modified: 2017-09-01 23:11 CEST (History)
5 users (show)

See Also:
Source RPM: botan-1.10.12-3.mga6.src.rpm
CVE: CVE-2016-9132
Status comment:


Attachments

Description David Walser 2016-12-23 17:40:05 CET
Fedora has issued an advisory on December 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z2Y3JLMTE3VIV4X5X6SXVZTJBDDLCS3D/

The issue is fixed upstream in 1.10.14.

Mageia 5 is also affected.
David Walser 2016-12-23 17:40:22 CET

Whiteboard: (none) => MGA5TOO

David Walser 2016-12-23 21:04:16 CET

URL: (none) => https://lwn.net/Vulnerabilities/710084/

Nicolas Lécureuil 2017-04-25 08:34:08 CEST

CVE: (none) => CVE-2016-9132
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5
CC: (none) => mageia

David Walser 2017-08-14 01:10:45 CEST

Depends on: (none) => 21528

Comment 1 Nicolas Lécureuil 2017-08-14 01:58:37 CEST
closing, all is fixed in bug #21528

*** This bug has been marked as a duplicate of bug 21528 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE

Comment 2 David Walser 2017-08-14 02:34:25 CEST
Let's use this bug for the Mageia 5 update.

botan-1.10.14-1.mga5
botan-devel-1.10.14-1.mga5
botan-doc-1.10.14-1.mga5
python2-botan-1.10.14-1.mga5

from botan-1.10.14-1.mga5.src.rpm

Status: RESOLVED => REOPENED
Resolution: DUPLICATE => (none)

Comment 3 David Walser 2017-08-27 15:03:26 CEST
Testing ideas in Bug 17737.

Advisory:
========================

Updated botan packages fix security vulnerabilities:

While decoding BER length fields, an integer overflow could occur. This could
occur while parsing untrusted inputs such as X.509 certificates. The overflow
does not seem to lead to any obviously exploitable condition, but exploitation
cannot be positively ruled out. Only 32-bit platforms are likely affected; to
cause an overflow on 64-bit the parsed data would have to be many gigabytes
(CVE-2016-9132).

Aleksandar Nikolic discovered that an error in the x509 parser of the Botan
crypto library could result in an out-of-bounds memory read, resulting in
denial of service or an information leak if processing a malformed certificate
(CVE-2017-2801).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2801
https://botan.randombit.net/security.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z2Y3JLMTE3VIV4X5X6SXVZTJBDDLCS3D/
https://www.debian.org/security/2017/dsa-3939
========================

Updated packages in core/updates_testing:
========================
botan-1.10.14-1.mga5
botan-devel-1.10.14-1.mga5
botan-doc-1.10.14-1.mga5
python2-botan-1.10.14-1.mga5

from botan-1.10.14-1.mga5.src.rpm

Assignee: shlomif => qa-bugs

Comment 4 Herman Viaene 2017-08-28 14:25:51 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Ref bug 17737 for testing, first installed monotone.
The taking from http://www.monotone.ca/docs/Tutorial.html#Tutorial
at CLI:
$ mtn db init --db=~/tester5.mtn
checked file created, in my home directory, then
$ strace -o botan.txt mtn  genkey tester5@mageia.test.test
enter passphrase for key ID [tester5@mageia.test.test] (...): 
confirm passphrase for key ID [tester5@mageia.test.test] (...): 
mtn: generating key-pair 'tester5@mageia.test.test'
mtn: storing key-pair tester5@mageia.test.test in '/home/tester5/.monotone/keys/'
mtn: storing public key tester5@mageia.test.test in ''
mtn: key 'tester5@mageia.test.test' has hash 'ca05331471a1c0eaea92c4476ce8470a55802743'
checked in trace file call on libbotan: OK
According Claire's recommendation in bug 17737 this should be OK for testing.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-08-28 21:57:40 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 5 PC LX 2017-08-30 01:15:31 CEST
Installed and tested without issues.

Did the same test as in Comment 4. The test used monotone to generate a RSA key.
Also tested using softhsm. The PKCS8 PEM key file was generated with openssl.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ mtn db init --db=~/tmp/test.mtn
$ ls tmp/test.mtn 
tmp/test.mtn
$ strace -o ~/tmp/botan.strace mtn genkey test-key
enter passphrase for key ID [test-key] (...): 
confirm passphrase for key ID [test-key] (...): 
mtn: generating key-pair 'test-key'
mtn: storing key-pair test-key in '/home/pclx/.monotone/keys/'
mtn: storing public key test-key in ''
mtn: key 'test-key' has hash 'cb41c7b438bc96a3bd99c20ed4879f36101d2365'
$ ls .monotone/keys/
test-key.cb41c7b438bc96a3bd99c20ed4879f36101d2365
$ grep botan tmp/botan.strace 
open("/lib64/libbotan-1.10.so.1", O_RDONLY|O_CLOEXEC) = 3
$ rpm -qf /lib64/libbotan-1.10.so.1
botan-1.10.14-1.mga5
$
$ #################################
$ # Now for the test using softhsm.
$ #################################
$
$ openssl genrsa -out ~/tmp/key.pri
Generating RSA private key, 2048 bit long modulus
................+++
....+++
e is 65537 (0x10001)
$ openssl pkcs8 -in ~/tmp/key.pri -nocrypt -topk8 > ~/tmp/key.pem
$ strace -o ~/tmp/botan.strace softhsm --init-token --slot 0 --label "slot 0" --pin 1234 --so-pin 1234
The token has been initialized.
$ strace -o ~/tmp/botan.strace softhsm --show-slots
Available slots:
Slot 0 
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: slot 0                          
$ strace -o ~/tmp/botan.strace softhsm --import ~/tmp/key.pem --slot 0 --label "test 0" --id 0000 --pin 1234
The key pair has been imported to the token in slot 0.
$ grep botan tmp/botan.strace 
open("/lib64/libbotan-1.10.so.1", O_RDONLY|O_CLOEXEC) = 3

CC: (none) => mageia
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK

Lewis Smith 2017-08-30 08:28:26 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-09-01 23:11:23 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0321.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.