Date: Mon, 19 Sep 2016 10:34:47 -0400 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Fwd: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and down level remediation ---------- Forwarded message ---------- From: Jeffrey Walton <noloader@...il.com> Date: Mon, Sep 19, 2016 at 10:32 AM Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and down level remediation To: <redacted; maintainers and distros> Hi Everyone, Crypto++ 5.6.5 will be released within a month or so to remediate the information disclosure from CVE-2016-742. Distros will need to patch Crypto++ 5.6.4 and below. The following provides more information and procedures we recommend for down level Crypto++. We re-engieered the "debugging and diagnostic" support area because documenting the behaviors did *not* reduce the risk; rather it simply moved the blame around. You can see the staged changes at https://github.com/weidai11/cryptopp/issues/277#issuecomment-247829210 . We believe the best course of action for a distor is to make the asserts inert in Crypto++ 5.6.4 and below because they are expected to be removed by NDEBUG. However and simple sed and 's|<exp>||g' won't work as expected. If you have any problems or questions, then please email me or call me. My cell number is <redacted>. My home number is <redacted>. Distros get special treatment because they are so important to the ecosystem. My apologies for the inconvenience and trouble this has caused. Jeff ********** To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following. 1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip this step). (a) Add CRYPTOPP_UNSED macro to config.h #define CRYPTOPP_UNSED(x) ((void)(x)) 2. Change every assert() to CRYPTOPP_UNUSED() (a) replace en masse (b) find with sed or grep and 'assert[[:space:]]*(' 3. Verify changes (a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert (b) should only see compile-time assert 4. Test changes (a) 'make clean && make -j 4' (b) './cryptest.exe v' 5. Update the package (a) rebuild the library and package it - all asserts rendered inert (b) rebuild all dependent packages - asserts in Crypto++ headers could cross-pollinate ********** Procedures performed on Crypto++ 5.6.2: # Prepare $ git clone https://github.com/weidai11/cryptopp cryptopp-assert $ cd cryptopp-assert $ git checkout CRYPTOPP_5_6_2 # Step 1 (Add) $ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h # Step 2 (Replace) $ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp # Step 3 (Verify) $ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert #define CRYPTOPP_COMPILE_ASSERT(assertion) CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__) #define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance) # Step 4 (Test) $ make clean && make -j 4 $ ./cryptest.exe v # Tail should report no failures # Step 5 (Repackage) ...
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ