Date: Mon, 19 Sep 2016 10:34:47 -0400 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Fwd: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and down level remediation ---------- Forwarded message ---------- From: Jeffrey Walton <noloader@...il.com> Date: Mon, Sep 19, 2016 at 10:32 AM Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and down level remediation To: <redacted; maintainers and distros> Hi Everyone, Crypto++ 5.6.5 will be released within a month or so to remediate the information disclosure from CVE-2016-742. Distros will need to patch Crypto++ 5.6.4 and below. The following provides more information and procedures we recommend for down level Crypto++. We re-engieered the "debugging and diagnostic" support area because documenting the behaviors did *not* reduce the risk; rather it simply moved the blame around. You can see the staged changes at https://github.com/weidai11/cryptopp/issues/277#issuecomment-247829210 . We believe the best course of action for a distor is to make the asserts inert in Crypto++ 5.6.4 and below because they are expected to be removed by NDEBUG. However and simple sed and 's|<exp>||g' won't work as expected. If you have any problems or questions, then please email me or call me. My cell number is <redacted>. My home number is <redacted>. Distros get special treatment because they are so important to the ecosystem. My apologies for the inconvenience and trouble this has caused. Jeff ********** To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following. 1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip this step). (a) Add CRYPTOPP_UNSED macro to config.h #define CRYPTOPP_UNSED(x) ((void)(x)) 2. Change every assert() to CRYPTOPP_UNUSED() (a) replace en masse (b) find with sed or grep and 'assert[[:space:]]*(' 3. Verify changes (a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert (b) should only see compile-time assert 4. Test changes (a) 'make clean && make -j 4' (b) './cryptest.exe v' 5. Update the package (a) rebuild the library and package it - all asserts rendered inert (b) rebuild all dependent packages - asserts in Crypto++ headers could cross-pollinate ********** Procedures performed on Crypto++ 5.6.2: # Prepare $ git clone https://github.com/weidai11/cryptopp cryptopp-assert $ cd cryptopp-assert $ git checkout CRYPTOPP_5_6_2 # Step 1 (Add) $ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h # Step 2 (Replace) $ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp # Step 3 (Verify) $ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert #define CRYPTOPP_COMPILE_ASSERT(assertion) CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__) #define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance) # Step 4 (Test) $ make clean && make -j 4 $ ./cryptest.exe v # Tail should report no failures # Step 5 (Repackage) ...
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.