On Tue, Oct 30, 2012 at 06:21:07PM +0100, Moritz Muehlenhoff wrote: > On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote: > > On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote: > > > Please see the thread starting at > > > http://www.openwall.com/lists/oss-security/2012/09/07/2 > > > for details. > > > > I've had a quick look at this bug to see if it can be fixed in Debian. > > There are four patches referenced in the thread (I haven't verified if > > there are more patches required): > > > > - > > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30 > > 32 files changed, 182 insertions(+), 1166 deletions(-) > > This change is huge and mainly seems to be quivalent to setting > > SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few > > other changes in there which may be due to the removal of the > > compatibility code. > > This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed > > to manually fix it (attached is a version if anyone is interested). > > - > > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9 > > 31 files changed, 2975 insertions(+), 280 deletions(-) > > Lots of changes in the tests but it also seems to contain some > > cleanups related to the previous change, a change from lock_shm() to > > XProcLock(), some moving of locks to /var/lock and a few other > > changes. > > - > > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a > > 23 files changed, 449 insertions(+), 99 deletions(-) > > Includes a FAQ typo fix and the introduction of a lot of new code. > > - > > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15 > > 1 files changed, 3 insertions(+), 3 deletions(-) > > Very small change in the Makfile which creates the lock directory. > > Should not be relevant for Debian because subdirectories of /var/lock > > should be created on the fly. > > > > The changes are huge and can probably not be easily backported to > > Debian's 2.3.1. A few other options come to mind: > > - see if upstream can provide patches for 2.3.1 > > - see if the necessary fixes can be made some other way > > - upgrade to upstream 2.4.2 > > - remove from wheezy > > (the only reverse dependency for opencryptoki seems to be tpm-tools) > > > > Anyway, I don't think I can do much more for this bug because I'm afraid > > it will take a little more time than I have available at the moment. I > > was having a look and I though I would just add my notes to the bug log. > > > > Good luck with this bug! ;) > > Removing opencryptoki from Wheezy seems best to me. We should't keep > outdated crypto toolkits without an active maintainer in the archive. > > CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools > is usable withput opencryptoki or whether he's interested in adopting > it himself. >
Hi, IMHO the best solution would be to upgrade opencryptoki, including Wheezy. Trying to backport many patches will be complex to maintain and will create a version that could be very different from upstream, leading to bugs (on functionalities, and security). tpm-tools can be compiled without opencryptoki, but this would disable the pkcs#11 support and so loose some functionalities. Except the dependency in debian/control, there should not be any other changes to be done. Cheers, Pierre -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
