Debian has issued an advisory on August 12: https://www.debian.org/security/2017/dsa-3939 The issue is fixed upstream in 1.10.16: https://botan.randombit.net/security.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOOBlocks: (none) => 20014
pushed in updates_testing: src.rpm: botan-1.10.14-5.1.mga6 botan-1.10.12-1.1.mga5
CC: (none) => mageia
Thanks. The Mageia 5 package still needs a patch for CVE-2016-9132 as well (see Bug 20014). Mageia 6 update: botan-1.10.14-5.1.mga6 botan-devel-1.10.14-5.1.mga6 botan-doc-1.10.14-5.1.mga6 python2-botan-1.10.14-5.1.mga6 python3-botan-1.10.14-5.1.mga6 from botan-1.10.14-5.1.mga6.src.rpm
we need to update cauldron to version 2.2.0 ( because of openssl 1.1.0 support )
i updated mga5 version botan-1.10.14-1.mga5
*** Bug 20014 has been marked as a duplicate of this bug. ***
Once Cauldron is ready we can move this to QA.
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => (none)
(In reply to David Walser from comment #6) > Once Cauldron is ready we can move this to QA. is this bug still valid in Cauldron? I don't see version 2.2.0 of Botan there.
because it does not build :)
(In reply to Nicolas Lécureuil from comment #8) > because it does not build :) why not? what is the error?
Testing ideas in Bug 17737. Advisory: ======================== Updated botan packages fix security vulnerability: Aleksandar Nikolic discovered that an error in the x509 parser of the Botan crypto library could result in an out-of-bounds memory read, resulting in denial of service or an information leak if processing a malformed certificate (CVE-2017-2801). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2801 https://botan.randombit.net/security.html https://www.debian.org/security/2017/dsa-3939 ======================== Updated packages in core/updates_testing: ======================== botan-1.10.14-5.1.mga6 botan-devel-1.10.14-5.1.mga6 botan-doc-1.10.14-5.1.mga6 python2-botan-1.10.14-5.1.mga6 python3-botan-1.10.14-5.1.mga6 from botan-1.10.14-5.1.mga6.src.rpm
Assignee: shlomif => qa-bugs
Having encountered this before shall have a go, referring to previous efforts. Testing will take some time.
CC: (none) => tarazed25
CVE-2017-2801 An example of a specially crafted x509 certificate is given at https://talosintelligence.com/vulnerability_reports/TALOS-2017-0294 which can trigger the vulnerability. The article then shows the ASAN output after a crash but it is not certain that a crash would occur without the ASAN support. The test command is: $ botan cert_info --ber cert1.der 2>&1| asan_symbolize -d This could be tried without the asan analysis if I could figure out how to shape this: String 1: AA\x20\x00AAAAAAAAAA String 2: AA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 into an X.509 certificate. Checking out X.509 on Wikipedia convinces me that this is so far beyond trivial that it is not worth pursuing. There are full examples of End-entity, Intermediate and Root certificates which bear no resemblance to the example above. You would need a degree in cryptography to understand this stuff. So, that is a dead end. We shall continue without the PoC.
MGA6-32 on Asus A6000VM MATE No installation issues Ref to testing in bug 20014 Comment 4 and Comment 7 At CLI: $ mtn db init --db=~/tester6.mtn $ strace -o botan.txt mtn genkey tester6@mageia.test.test enter passphrase for key ID [tester6@mageia.test.test] (...): confirm passphrase for key ID [tester6@mageia.test.test] (...): mtn: generating key-pair 'tester6@mageia.test.test' mtn: storing key-pair tester6@mageia.test.test in '/home/tester6/.monotone/keys/' mtn: storing public key tester6@mageia.test.test in '' mtn: key 'tester6@mageia.test.test' has hash '4ffa3a73d570627303a502523dbecb60dc798a59' trace shows call to libbotan but test with softhsm as refered above stops me: $ openssl genrsa -out key.pri Generating RSA private key, 2048 bit long modulus .................+++ ....................................+++ e is 65537 (0x10001) $ openssl pkcs8 -in key.pri -nocrypt -topk8 > key.pem $ strace -o botan2.txt softhsm --init-token --slot 0 --label "slot 0" --pin 1234 --so-pin 1234 strace: Can't stat 'softhsm': No such file or directory ]$ soft<TAB> softhsm2-dump-db softhsm2-dump-file softhsm2-keyconv softhsm2-migrate softhsm2-util So what is needed here???
CC: (none) => herman.viaene
mga6 x86_64 Went about as far as Herman did but added another two users and set up the password shortcut for at least one of them. I would say it is good for 64-bits. @Herman: you have probably done enough by showing at least one dependent package works. Thanks for trying softhsm. You should OK it.
Whiteboard: (none) => MGA6-32-OK
Advisoried. In the light of Len's Comment 14, am OKing this for x64; and validating.
Whiteboard: MGA6-32-OK => MGA6-32-OK advisory MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0327.html
Status: NEW => RESOLVEDResolution: (none) => FIXED