Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Sep 2016 10:34:47 -0400
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and down
 level remediation

---------- Forwarded message ----------
From: Jeffrey Walton <noloader@...il.com>
Date: Mon, Sep 19, 2016 at 10:32 AM
Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and
down level remediation
To: <redacted; maintainers and distros>

Hi Everyone,

Crypto++ 5.6.5 will be released within a month or so to remediate the
information disclosure from CVE-2016-742. Distros will need to patch
Crypto++ 5.6.4 and below. The following provides more information and
procedures we recommend for down level Crypto++.

We re-engieered the "debugging and diagnostic" support area because
documenting the behaviors did *not* reduce the risk; rather it simply
moved the blame around. You can see the staged changes at
https://github.com/weidai11/cryptopp/issues/277#issuecomment-247829210
.

We believe the best course of action for a distor is to make the
asserts inert in Crypto++ 5.6.4 and below because they are expected to
be removed by NDEBUG. However and simple sed and 's|<exp>||g' won't
work as expected.

If you have any problems or questions, then please email me or call
me. My cell number is <redacted>. My home number is
<redacted>. Distros get special treatment because they are so
important to the ecosystem.

My apologies for the inconvenience and trouble this has caused.

Jeff

**********

To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following.

1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip
this step).

    (a) Add CRYPTOPP_UNSED macro to config.h

     #define CRYPTOPP_UNSED(x) ((void)(x))

2. Change every assert() to CRYPTOPP_UNUSED()

    (a) replace en masse
    (b) find with sed or grep and 'assert[[:space:]]*('

3. Verify changes

    (a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
    (b) should only see compile-time assert

4. Test changes

    (a) 'make clean && make -j 4'
    (b) './cryptest.exe v'

5. Update the package

    (a) rebuild the library and package it
          - all asserts rendered inert
    (b) rebuild all dependent packages
          - asserts in Crypto++ headers could cross-pollinate

**********

Procedures performed on Crypto++ 5.6.2:

# Prepare
$ git clone https://github.com/weidai11/cryptopp cryptopp-assert
$ cd cryptopp-assert
$ git checkout CRYPTOPP_5_6_2

# Step 1 (Add)
$ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h

# Step 2 (Replace)
$ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp

# Step 3 (Verify)
$ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
#define CRYPTOPP_COMPILE_ASSERT(assertion)
CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__)
#define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance)

# Step 4 (Test)
$ make clean && make -j 4
$ ./cryptest.exe v   # Tail should report no failures

# Step 5 (Repackage)
...

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.