Bug 26955 - botan2 new security issue rhbz#1849743
Summary: botan2 new security issue rhbz#1849743
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: has_procedure mga7-64-ok
Keywords: advisory, validated_update
Depends on:
Reported: 2020-07-14 23:22 CEST by David Walser
Modified: 2020-08-01 01:28 CEST (History)
6 users (show)

See Also:
Source RPM: botan2-2.9.0-2.mga7.src.rpm
Status comment:


David Walser 2020-07-14 23:22:37 CEST

Status comment: (none) => Patch available from Fedora

Comment 1 David GEIGER 2020-07-15 11:04:29 CEST
Done for mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-07-15 17:40:29 CEST

Updated botan2 packages fix security vulnerability:

The CBC padding operations were not constant time and as a result would leak
the length of the plaintext values which were being padded to an attacker
running a side channel attack via shared resources such as cache or branch
predictor. No information about the contents was leaked, but the length alone
might be used to make inferences about the contents. This issue affects TLS CBC
ciphersuites as well as CBC encryption using PKCS7 or other similar padding
mechanisms. In all cases, the unpadding operations were already constant time
and are not affected (rhbz#1849743).


Updated packages in core/updates_testing:

from botan2-2.9.0-2.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Patch available from Fedora => (none)

Comment 3 Herman Viaene 2020-07-24 15:03:58 CEST
MGA7-64 Plasma on Lenovo B50
No istallation issues
No previous updates on this. MCC says "Botan is a BSD-licensed crypto library".
# urpmq --whatrequires botan2
Not much of a help
# urpmq --whatrequires-recursive botan2  
Lists then too many tochoose from, things like okular, but then does one need an encrypted  pdf. I'llkeeplooking for a while.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2020-07-24 16:01:21 CEST
Found sample pdf in https://uwaterloo.ca/onbase/help/sample-pdf-documents,
but $ strace -o botan.txt okular samplesecured_256bitaes_pdf.pdf
showed nothing botan in the trace.  Crying out of despair.
Comment 5 Len Lawrence 2020-07-24 20:25:03 CEST
Want to borrow my hankie?  Before updating I tried the secure and certified samples and saw exactly nothing in the traces, like you.

CC: (none) => tarazed25

Comment 6 claire robinson 2020-07-25 11:06:47 CEST
Tested OK mga7 64

$ urpmf botan2 | grep /usr/bin/

$ botan --help
Usage: botan <cmd> <cmd-options>
All commands support --verbose --help --output= --error-output= --rng-type= --drbg-seed=

Available commands:

   asn1print          Decode and print file with ASN.1 Basic Encoding Rules (BER)
   base64_dec         Decode Base64 encoded file
   base64_enc         Encode given file to Base64
   hex_dec            Hex decode a given file
   hex_enc            Hex encode a given file

$ echo "Test File" > test.txt
$ botan base64_enc test.txt > test64.txt
$ cat test64.txt

$ botan base64_dec test64.txt
Test File

$ python3
Python 3.7.6 (default, Jan 21 2020, 20:43:18) 
[GCC 8.3.1 20190524] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import botan2
>>> tester = botan2.RandomNumberGenerator()
>>> tested = tester.get(10)
>>> print ("Random number is {}".format(tested))
Random number is b'\x0cE\x0bLF\xc8x\x86\xa2\x9d'
>>> quit()

Checked botan2-doc with..
$ lynx /usr/share/doc/botan-2.9.0/manual/index.html

Whiteboard: (none) => has_procedure mga7-64-ok

Comment 7 Thomas Andrews 2020-07-25 15:08:07 CEST
Claire! Good to see you here!

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2020-07-31 10:54:33 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2020-08-01 01:28:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.