Fedora has issued an advisory on December 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z2Y3JLMTE3VIV4X5X6SXVZTJBDDLCS3D/ The issue is fixed upstream in 1.10.14. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
URL: (none) => https://lwn.net/Vulnerabilities/710084/
CVE: (none) => CVE-2016-9132Whiteboard: MGA5TOO => (none)Version: Cauldron => 5CC: (none) => mageia
Depends on: (none) => 21528
closing, all is fixed in bug #21528 *** This bug has been marked as a duplicate of bug 21528 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE
Let's use this bug for the Mageia 5 update. botan-1.10.14-1.mga5 botan-devel-1.10.14-1.mga5 botan-doc-1.10.14-1.mga5 python2-botan-1.10.14-1.mga5 from botan-1.10.14-1.mga5.src.rpm
Status: RESOLVED => REOPENEDResolution: DUPLICATE => (none)
Testing ideas in Bug 17737. Advisory: ======================== Updated botan packages fix security vulnerabilities: While decoding BER length fields, an integer overflow could occur. This could occur while parsing untrusted inputs such as X.509 certificates. The overflow does not seem to lead to any obviously exploitable condition, but exploitation cannot be positively ruled out. Only 32-bit platforms are likely affected; to cause an overflow on 64-bit the parsed data would have to be many gigabytes (CVE-2016-9132). Aleksandar Nikolic discovered that an error in the x509 parser of the Botan crypto library could result in an out-of-bounds memory read, resulting in denial of service or an information leak if processing a malformed certificate (CVE-2017-2801). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2801 https://botan.randombit.net/security.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z2Y3JLMTE3VIV4X5X6SXVZTJBDDLCS3D/ https://www.debian.org/security/2017/dsa-3939 ======================== Updated packages in core/updates_testing: ======================== botan-1.10.14-1.mga5 botan-devel-1.10.14-1.mga5 botan-doc-1.10.14-1.mga5 python2-botan-1.10.14-1.mga5 from botan-1.10.14-1.mga5.src.rpm
Assignee: shlomif => qa-bugs
MGA5-32 on Asus A6000VM Xfce No installation issues. Ref bug 17737 for testing, first installed monotone. The taking from http://www.monotone.ca/docs/Tutorial.html#Tutorial at CLI: $ mtn db init --db=~/tester5.mtn checked file created, in my home directory, then $ strace -o botan.txt mtn genkey tester5@mageia.test.test enter passphrase for key ID [tester5@mageia.test.test] (...): confirm passphrase for key ID [tester5@mageia.test.test] (...): mtn: generating key-pair 'tester5@mageia.test.test' mtn: storing key-pair tester5@mageia.test.test in '/home/tester5/.monotone/keys/' mtn: storing public key tester5@mageia.test.test in '' mtn: key 'tester5@mageia.test.test' has hash 'ca05331471a1c0eaea92c4476ce8470a55802743' checked in trace file call on libbotan: OK According Claire's recommendation in bug 17737 this should be OK for testing.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Whiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => lewyssmith
Installed and tested without issues. Did the same test as in Comment 4. The test used monotone to generate a RSA key. Also tested using softhsm. The PKCS8 PEM key file was generated with openssl. System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ mtn db init --db=~/tmp/test.mtn $ ls tmp/test.mtn tmp/test.mtn $ strace -o ~/tmp/botan.strace mtn genkey test-key enter passphrase for key ID [test-key] (...): confirm passphrase for key ID [test-key] (...): mtn: generating key-pair 'test-key' mtn: storing key-pair test-key in '/home/pclx/.monotone/keys/' mtn: storing public key test-key in '' mtn: key 'test-key' has hash 'cb41c7b438bc96a3bd99c20ed4879f36101d2365' $ ls .monotone/keys/ test-key.cb41c7b438bc96a3bd99c20ed4879f36101d2365 $ grep botan tmp/botan.strace open("/lib64/libbotan-1.10.so.1", O_RDONLY|O_CLOEXEC) = 3 $ rpm -qf /lib64/libbotan-1.10.so.1 botan-1.10.14-1.mga5 $ $ ################################# $ # Now for the test using softhsm. $ ################################# $ $ openssl genrsa -out ~/tmp/key.pri Generating RSA private key, 2048 bit long modulus ................+++ ....+++ e is 65537 (0x10001) $ openssl pkcs8 -in ~/tmp/key.pri -nocrypt -topk8 > ~/tmp/key.pem $ strace -o ~/tmp/botan.strace softhsm --init-token --slot 0 --label "slot 0" --pin 1234 --so-pin 1234 The token has been initialized. $ strace -o ~/tmp/botan.strace softhsm --show-slots Available slots: Slot 0 Token present: yes Token initialized: yes User PIN initialized: yes Token label: slot 0 $ strace -o ~/tmp/botan.strace softhsm --import ~/tmp/key.pem --slot 0 --label "test 0" --id 0000 --pin 1234 The key pair has been imported to the token in slot 0. $ grep botan tmp/botan.strace open("/lib64/libbotan-1.10.so.1", O_RDONLY|O_CLOEXEC) = 3
CC: (none) => mageiaWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0321.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED