Debian Bug report logs - #692649
trousers: CVE-2012-0698

version graph

Package: trousers; Maintainer for trousers is Pierre Chifflier <pollux@debian.org>; Source for trousers is src:trousers.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 8 Nov 2012 07:09:01 UTC

Severity: grave

Tags: security

Found in version trousers/0.3.5-2

Fixed in versions trousers/0.3.9-1, trousers/0.3.5-2+squeeze1

Done: Pierre Chifflier <pollux@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#692649; Package trousers. (Thu, 08 Nov 2012 07:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Pierre Chifflier <pollux@debian.org>. (Thu, 08 Nov 2012 07:09:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: trousers: CVE-2012-0698
Date: Thu, 08 Nov 2012 08:03:35 +0100
Package: trousers
Severity: grave
Tags: security
Justification: user security hole

Please see here for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698

Cheers,
        Moritz



Marked as found in versions trousers/0.3.5-2. Request was from Pierre Chifflier <pollux@debian.org> to control@bugs.debian.org. (Thu, 08 Nov 2012 21:45:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#692649; Package trousers. (Thu, 08 Nov 2012 21:48:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Chifflier <pollux@debian.org>:
Extra info received and forwarded to list. (Thu, 08 Nov 2012 21:48:08 GMT) Full text and rfc822 format available.

Message #12 received at 692649@bugs.debian.org (full text, mbox):

From: Pierre Chifflier <pollux@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 692649@bugs.debian.org
Subject: Re: Bug#692649: trousers: CVE-2012-0698
Date: Thu, 8 Nov 2012 22:40:19 +0100
[Message part 1 (text/plain, inline)]
On Thu, Nov 08, 2012 at 08:03:35AM +0100, Moritz Muehlenhoff wrote:
> Package: trousers
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see here for details:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698
> 
> Cheers,
>         Moritz
> 

Hi Moritz,

I have tested with the python script referenced in the sourceforge
ticket [1], and testing/unstable version is not affected.

Version in squeeze seems affected, so I have prepared an upload with the
fix from upstream [2]. I am attaching the diff to this email, can you
confirm me if it is fine, and if I can upload it ?

Regards,
Pierre


[1] http://sourceforge.net/tracker/index.php?func=detail&aid=3473554&group_id=126012&atid=704358
[2] http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786
[diff_trousers_0.3.5-2+squeeze1.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#692649; Package trousers. (Sat, 17 Nov 2012 14:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Sat, 17 Nov 2012 14:03:03 GMT) Full text and rfc822 format available.

Message #17 received at 692649@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Pierre Chifflier <pollux@debian.org>
Cc: team@security.debian.org, 692649@bugs.debian.org
Subject: Re: [Fwd: Bug#692649: trousers: CVE-2012-0698]
Date: Sat, 17 Nov 2012 15:00:04 +0100
[Message part 1 (text/plain, inline)]
On sam., 2012-11-17 at 11:30 +0100, Pierre Chifflier wrote:
> Hi Security Team,
> 
> I'm forwarding this email to ask for review on the correction for
> CVE-2012-0698 in stable (other versions are not affected).
> 
Hey,

is the fixed package robust against the python script and did you test
if it didn't break anything?

 This comment (https://bugzilla.redhat.com/show_bug.cgi?id=781648#c12)
from the redhat bug is a bit concerning, although I'm not sure to what
it's referring too.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#692649; Package trousers. (Sun, 18 Nov 2012 14:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Chifflier <pollux@debian.org>:
Extra info received and forwarded to list. (Sun, 18 Nov 2012 14:39:03 GMT) Full text and rfc822 format available.

Message #22 received at 692649@bugs.debian.org (full text, mbox):

From: Pierre Chifflier <pollux@debian.org>
To: Yves-Alexis Perez <corsac@debian.org>, 692649@bugs.debian.org
Subject: Re: Bug#692649: [Fwd: Bug#692649: trousers: CVE-2012-0698]
Date: Sun, 18 Nov 2012 15:34:42 +0100
[Message part 1 (text/plain, inline)]
On Sat, Nov 17, 2012 at 03:00:04PM +0100, Yves-Alexis Perez wrote:
> On sam., 2012-11-17 at 11:30 +0100, Pierre Chifflier wrote:
> > Hi Security Team,
> > 
> > I'm forwarding this email to ask for review on the correction for
> > CVE-2012-0698 in stable (other versions are not affected).
> > 
> Hey,
> 
> is the fixed package robust against the python script and did you test
> if it didn't break anything?

Hi,

I've basically tested the package (running tpm_info), so far it seems
ok.
The server does not crash anymore on the python script.

> 
>  This comment (https://bugzilla.redhat.com/show_bug.cgi?id=781648#c12)
> from the redhat bug is a bit concerning, although I'm not sure to what
> it's referring too.
> 

That is the upstream fix I have included. I think the comments is
related to the fact that, while it does fix the crash from the python
script, there may be concerns from other possible functions affected by
the same problem. None seems to have happened since this fix, so I think
it's ok to include it in stable, and testing/sid have newer versions.

Regards,
Pierre
[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions trousers/0.3.9-1. Request was from Luca Falavigna <dktrkranz@debian.org> to control@bugs.debian.org. (Sun, 18 Nov 2012 16:45:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#692649; Package trousers. (Mon, 19 Nov 2012 20:42:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Mon, 19 Nov 2012 20:42:08 GMT) Full text and rfc822 format available.

Message #29 received at 692649@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: Pierre Chifflier <pollux@debian.org>
Cc: 692649@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#692649: [Fwd: Bug#692649: trousers: CVE-2012-0698]
Date: Mon, 19 Nov 2012 21:40:51 +0100
[Message part 1 (text/plain, inline)]
[please keep the team on CC:]

On lun., 2012-11-19 at 21:35 +0100, Pierre Chifflier wrote:
> On Sat, Nov 17, 2012 at 03:00:04PM +0100, Yves-Alexis Perez wrote:
> > On sam., 2012-11-17 at 11:30 +0100, Pierre Chifflier wrote:
> > > Hi Security Team,
> > > 
> > > I'm forwarding this email to ask for review on the correction for
> > > CVE-2012-0698 in stable (other versions are not affected).
> > > 
> > Hey,
> > 
> > is the fixed package robust against the python script and did you test
> > if it didn't break anything?
> 
> Hi,
> 
> I've basically tested the package (running tpm_info), so far it seems
> ok.
> The server does not crash anymore on the python script.

It'd have been nice to have a bit more assurance on the non-regression
part, but eh :)
> 

Please upload to security-master (don't forget to build with -sa and in
a clean squeeze chroot). I'll write a DSA and release after that.

Regards,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Reply sent to Pierre Chifflier <pollux@debian.org>:
You have taken responsibility. (Tue, 27 Nov 2012 21:51:25 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 27 Nov 2012 21:51:25 GMT) Full text and rfc822 format available.

Message #34 received at 692649-close@bugs.debian.org (full text, mbox):

From: Pierre Chifflier <pollux@debian.org>
To: 692649-close@bugs.debian.org
Subject: Bug#692649: fixed in trousers 0.3.5-2+squeeze1
Date: Tue, 27 Nov 2012 21:47:05 +0000
Source: trousers
Source-Version: 0.3.5-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
trousers, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 692649@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier <pollux@debian.org> (supplier of updated trousers package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 08 Nov 2012 22:08:58 +0100
Source: trousers
Binary: trousers trousers-dbg libtspi1 libtspi-dev
Architecture: source amd64
Version: 0.3.5-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Pierre Chifflier <pollux@debian.org>
Description: 
 libtspi-dev - open-source TCG Software Stack (development)
 libtspi1   - open-source TCG Software Stack (library)
 trousers   - open-source TCG Software Stack (daemon)
 trousers-dbg - open-source TCG Software Stack (debug)
Closes: 692649
Changes: 
 trousers (0.3.5-2+squeeze1) stable-security; urgency=high
 .
   * Fix crash when malformed packet is received (CVE-2012-0698)
     Closes: #692649
Checksums-Sha1: 
 fcfedfd2a6a114505836da7deb5e82eb55db4fac 1803 trousers_0.3.5-2+squeeze1.dsc
 8fee28572c4bc88f6e2bcd30a65b0788f93262c2 1335262 trousers_0.3.5.orig.tar.gz
 09197c5194b42421ac393c3fd5894d3b2811d007 21421 trousers_0.3.5-2+squeeze1.debian.tar.gz
 fc80a424e3c20c2c37f2df16ff7e9a38137a94b7 150482 trousers_0.3.5-2+squeeze1_amd64.deb
 8a2579f6ddbd9b4674253e1d41cd1c1becd3efa2 581460 trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 b972bffa945b04842146f818866b7137049cd0c8 202954 libtspi1_0.3.5-2+squeeze1_amd64.deb
 3154881cda28495f680aeff8fbb5c9aa94dea8c3 660636 libtspi-dev_0.3.5-2+squeeze1_amd64.deb
Checksums-Sha256: 
 0c611f353db1b01ba6ea5726fae1b49d92dff5f86c4d9e3c6d46dd967d77bfc9 1803 trousers_0.3.5-2+squeeze1.dsc
 9145db73d7080e86f1a990db4735715ea5f1eae4d47a1d43f775747a7ca580ad 1335262 trousers_0.3.5.orig.tar.gz
 ec4829987a4986ca7cb7da21e39255c90554ca439ab297d3fe257575809c0337 21421 trousers_0.3.5-2+squeeze1.debian.tar.gz
 da30f05dee460f7d4653a7f14fb56f0f8ff2102d0ff143fb32e4c98cf8a007ce 150482 trousers_0.3.5-2+squeeze1_amd64.deb
 e2d964f9634838f5555458a692cde31a68d29a40528fc8eb46612ac790935930 581460 trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 49b57a588a5501b2a4381fd69efb3387f218a4323f515e1663b1c62ce3ca8f94 202954 libtspi1_0.3.5-2+squeeze1_amd64.deb
 ca0b527a4272be8c9220634049e3f9a1cc17c810c88f7bccb7dbbd645406ecb7 660636 libtspi-dev_0.3.5-2+squeeze1_amd64.deb
Files: 
 079c130d72c78e77ad91c0724b6677a6 1803 admin optional trousers_0.3.5-2+squeeze1.dsc
 8655de35a98d2f2bde210d605fa60918 1335262 admin optional trousers_0.3.5.orig.tar.gz
 26fa3c6f5154b6462e4518d33f04f75e 21421 admin optional trousers_0.3.5-2+squeeze1.debian.tar.gz
 577efbb75d27707f54f932ef7a4c82c9 150482 admin optional trousers_0.3.5-2+squeeze1_amd64.deb
 abf01ff3659acbe4e0e8c362da95640e 581460 debug extra trousers-dbg_0.3.5-2+squeeze1_amd64.deb
 ba5aa0983d70bcf2af9f43dab62d02e4 202954 libs optional libtspi1_0.3.5-2+squeeze1_amd64.deb
 dc756b907e2b1547cf64977a9cd96557 660636 libdevel optional libtspi-dev_0.3.5-2+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQrp5SAAoJEMYaZNzxOTmY5ykP/0lrqNfsAg0bh4hto5MKGEHm
iIkgvErNUPs4fTm9IDHMny0fTPWGOwxIbr64LrvSdYk3t48peMaf6lKbrzjsxY9T
ofq2k+HCFp6Y455vN9cbUujis9gJwJrZ5+k3TlQFttVliV2laPQ5gnWam6cWTmoH
wSK95CKCZbgtCSbJda4/ehN1KaU4nPLw6mXgjvjOkl2bFgELYeFuWUeo358+zPQP
zRhGH0iYpHJT46DKyscNtJqE2xJUDNm5chxslhe/aFO3VkwaGDi74LbG9dCoGt9p
tn/uE3II2zoqmTjPvPh7pOV0KHQMsGI1+59eAYQoLFuOXkv25F+KtgnOl8kheNUn
CMnBbnh4P+tKHcazAD30rliXuY8mKZ/G25sS2tbRl8b+X9geJbOdmA0ig8zJBRtn
5OkzFZgkocsov7Pq6FEXrtOfuQ2IPJzveZhKc4uP9yXU9hwMpk1cbb3jEAOu/8FZ
a26qTTssIoSDti/YME/FkyIAMclpX3jcnpf0KttyV8cB+IFLG0uxen9NTbTT4GZQ
JYun3LmRVJ8gmyM2FAOh15D8E6HgpUdglPfhb4dq8n6FiAqwatN4CkD/ogFJ9XGQ
jDYUf7GbbjrMyQzKes+g9UwJI2Y67lcoFGKVuwV3uCUVObDRALrcz2WZ2Vneu2L9
MIV8FgbXKr5VzcrpG1u1
=JXyO
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#692649; Package trousers. (Thu, 27 Dec 2012 20:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Thu, 27 Dec 2012 20:12:05 GMT) Full text and rfc822 format available.

Message #39 received at 692649@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Pierre Chifflier <pollux@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 692649@bugs.debian.org, jmw@debian.org
Subject: Re: Bug#692649: trousers: CVE-2012-0698
Date: Thu, 27 Dec 2012 21:11:20 +0100
On Thu, Nov 08, 2012 at 10:40:19PM +0100, Pierre Chifflier wrote:
> On Thu, Nov 08, 2012 at 08:03:35AM +0100, Moritz Muehlenhoff wrote:
> > Package: trousers
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Please see here for details:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0698
> > 
> > Cheers,
> >         Moritz
> > 
> 
> Hi Moritz,
> 
> I have tested with the python script referenced in the sourceforge
> ticket [1], and testing/unstable version is not affected.
> 
> Version in squeeze seems affected, so I have prepared an upload with the
> fix from upstream [2]. I am attaching the diff to this email, can you
> confirm me if it is fine, and if I can upload it ?

Sorry for the late reply. This seems to have fallen through the cracks
and I'm currently catching up with old mail.

I think this doesn't warrant a DSA, but could you fix this through
a stable point update?
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

(Adding Jonathan, the stable point update security coordinator to CC)

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#692649; Package trousers. (Fri, 28 Dec 2012 16:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Chifflier <pollux@debian.org>:
Extra info received and forwarded to list. (Fri, 28 Dec 2012 16:15:03 GMT) Full text and rfc822 format available.

Message #44 received at 692649@bugs.debian.org (full text, mbox):

From: Pierre Chifflier <pollux@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 692649@bugs.debian.org
Subject: Re: Bug#692649: trousers: CVE-2012-0698
Date: Fri, 28 Dec 2012 17:03:25 +0100
> 
> Sorry for the late reply. This seems to have fallen through the cracks
> and I'm currently catching up with old mail.
> 
> I think this doesn't warrant a DSA, but could you fix this through
> a stable point update?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> 
> (Adding Jonathan, the stable point update security coordinator to CC)
> 

Hi Moritz,

This CVE (CVE-2012-0698) has already been closed by an upload on
November 27th, acked by Yves-Alexis Perez (see [1] for history), so
trousers is now fixed for all versions in Debian.

Cheers,
Pierre

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692649



Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#692649; Package trousers. (Fri, 28 Dec 2012 18:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Fri, 28 Dec 2012 18:39:03 GMT) Full text and rfc822 format available.

Message #49 received at 692649@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Pierre Chifflier <pollux@debian.org>
Cc: 692649@bugs.debian.org
Subject: Re: Bug#692649: trousers: CVE-2012-0698
Date: Fri, 28 Dec 2012 19:36:39 +0100
On Fri, Dec 28, 2012 at 05:03:25PM +0100, Pierre Chifflier wrote:
> > 
> > Sorry for the late reply. This seems to have fallen through the cracks
> > and I'm currently catching up with old mail.
> > 
> > I think this doesn't warrant a DSA, but could you fix this through
> > a stable point update?
> > http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> > 
> > (Adding Jonathan, the stable point update security coordinator to CC)
> > 
> 
> Hi Moritz,
> 
> This CVE (CVE-2012-0698) has already been closed by an upload on
> November 27th, acked by Yves-Alexis Perez (see [1] for history), so
> trousers is now fixed for all versions in Debian.

Indeed, it's fixed, but the tracker data was wrong. Now corrected.
 
Cheers,
        Moritz



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Feb 2013 07:28:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:14:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.