Bug#983013: marked as done (m2crypto: autopkgtest needs update for new version of openssl: M2Crypto.RSA.RSAError: sslv3 rollback attack)

Sun, 21 Feb 2021 21:06:15 -0800 

Your message dated Mon, 22 Feb 2021 05:03:29 +0000
with message-id <e1le3nz-0007a0...@fasolo.debian.org>
and subject line Bug#983013: fixed in m2crypto 0.37.1-2
has caused the Debian Bug report #983013,
regarding m2crypto: autopkgtest needs update for new version of openssl: 
M2Crypto.RSA.RSAError: sslv3 rollback attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
983013: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983013
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: m2crypto
Version: 0.37.1-1
Severity: serious
X-Debbugs-CC: debian...@lists.debian.org, open...@packages.debian.org
Tags: sid bullseye
User: debian...@lists.debian.org
Usertags: needs-update
Control: affects -1 src:openssl

Dear maintainer(s),

With a recent upload of openssl the autopkgtest of m2crypto fails in
testing when that autopkgtest is run with the binary packages of openssl
from unstable. It passes when run with only packages from testing. In
tabular form:

                       pass            fail
openssl                from testing    1.1.1j-1
m2crypto               from testing    0.37.1-1
all others             from testing    from testing

I copied some of the output at the bottom of this report.  I *think*
this may be related to CVE-2020-25657 "bleichenbacher timing attacks in
the RSA decryption API" against m2crypto, hence I file this bug against
m2crypto.

Currently this regression is blocking the migration of openssl to
testing [1]. Of course, openssl shouldn't just break your autopkgtest
(or even worse, your package), but it seems to me that the change in
openssl was intended and your package needs to update to the new situation.

If this is a real problem in your package (and not only in your
autopkgtest), the right binary package(s) from openssl should really add
a versioned Breaks on the unfixed version of (one of your) package(s).
Note: the Breaks is nice even if the issue is only in the autopkgtest as
it helps the migration software to figure out the right versions to
combine in the tests.

More information about this bug and the reason for filing it can be found on
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation

Paul

[1] https://qa.debian.org/excuses.php?package=openssl

https://ci.debian.net/data/autopkgtest/testing/amd64/m/m2crypto/10541025/log.gz

=================================== FAILURES
===================================
_______________________ RSATestCase.test_public_encrypt
________________________

self = <tests.test_rsa.RSATestCase testMethod=test_public_encrypt>

    @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f,
                     'Relies on fix which happened only in OpenSSL 1.1.1c')
    def test_public_encrypt(self):
        priv = RSA.load_key(self.privkey)
        # pkcs1_padding, pkcs1_oaep_padding
        for padding in self.e_padding_ok:
            p = getattr(RSA, padding)
            ctxt = priv.public_encrypt(self.data, p)
            ptxt = priv.private_decrypt(ctxt, p)
            self.assertEqual(ptxt, self.data)

        # sslv23_padding
        ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
>       res = priv.private_decrypt(ctxt, RSA.sslv23_padding)

tests/test_rsa.py:129:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _

self = <M2Crypto.RSA.RSA object at 0x7f954bddabb0>
data =
b'wf\xdc\xa5\xdf\xca\x95\xc7;\xa4\xdfEWUm/\xa1m\xd8\xa1\x14s&\x1bid\xf4c\\\xbcI\x90[<\x8dE\x89\x1f\xbf\xe9y=\xef\xa9z\...2\xb7\xaaO\x89\x88\xf7P\xee\x9f\xaf\x19B?\x1f\n\xe5\x18Q9\x186\x97gj\x0e)0mg@\xed\xe4~\xf3\xc4\xbe\x1dK#\x9f/\r"N%\x8d'
padding = 2

    def private_decrypt(self, data, padding):
        # type: (bytes, int) -> bytes
        assert self.check_key(), 'key is not initialised'
>       return m2.rsa_private_decrypt(self.rsa, data, padding)
E       M2Crypto.RSA.RSAError: sslv3 rollback attack

/usr/lib/python3/dist-packages/M2Crypto/RSA.py:82: RSAError

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Source: m2crypto
Source-Version: 0.37.1-2
Done: Sandro Tosi <mo...@debian.org>

We believe that the bug you reported is fixed in the latest version of
m2crypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 983...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi <mo...@debian.org> (supplier of updated m2crypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 21 Feb 2021 23:49:07 -0500
Source: m2crypto
Architecture: source
Version: 0.37.1-2
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi <mo...@debian.org>
Changed-By: Sandro Tosi <mo...@debian.org>
Closes: 979865 983013
Changes:
 m2crypto (0.37.1-2) unstable; urgency=medium
 .
   * debian/patches/MR262.patch
     - fix test failure with recent openssl; Closes: #983013
   * debian/rules
     - skip test_ssl.py during tests, more than 50% of its tests faol on an
       IPv6-only machine; Closes: #979865
Checksums-Sha1:
 f9d8e554cf131fb801c20049a2f836043e293d80 2334 m2crypto_0.37.1-2.dsc
 9458b3bae6c03b01c92bdd004b33d90d9f2cd4dc 59352 m2crypto_0.37.1-2.debian.tar.xz
 4cfffa5a3550a78b72a86e7728af5703738cea3b 8474 
m2crypto_0.37.1-2_source.buildinfo
Checksums-Sha256:
 62b65b57a8e4195a00593f6a8e9f6436a4e5cc966bd5941e07d6115516fbd9ca 2334 
m2crypto_0.37.1-2.dsc
 cc539e79e48173f2ac0005e7b7acfd7ace05ecdcf7c26ae56024cd95ef9a8655 59352 
m2crypto_0.37.1-2.debian.tar.xz
 b66c0246ec00b6c2b261955113e7b26a95feca48dc585b785ae2d79da62b9ab7 8474 
m2crypto_0.37.1-2_source.buildinfo
Files:
 e05349ed70fda0ef344e649f0536d12f 2334 python optional m2crypto_0.37.1-2.dsc
 87f8a12c8d440702a549383b6053261e 59352 python optional 
m2crypto_0.37.1-2.debian.tar.xz
 3413128186fc4cc3aaeff3869c557b7d 8474 python optional 
m2crypto_0.37.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEufrTGSrz5KUwnZ05h588mTgBqU8FAmAzN90ACgkQh588mTgB
qU9G8RAAqvKAySPGJAl3PvevkRKS1unpsNyUxhM4pTsWVEl8oZfq/WMdjMRyq359
1mbqZoHwTTSrXSgEOUr5sp6pxVEwHoTN8nW5sM5+ILIQ1yQMZmzuZA49c/3fbC6z
UtcTyVWXEAOdGxElUTIkISGWAkYzzUtE5RXqBRlMy2XxjFT5HQXJErnuYFyM5rBC
pJAIpIYeSVHucDEWbBQ4Lgn/Y7f3zvlDOikt+HHO23aMYehkDvzd+8WCJweudd1Y
1fKSlgS/cC7PwcDGYlOggsBN05DHaICWtuLhkX5fu37cxiQ1HyFBzV84XfG5/37C
1eSopIcSb23bC0FQh0dA8GA0VJMJGt3K3ULuWx2bx6/OkM1PBCgZJeTV56Joizky
WWmAceSMWdlnJfy7uNoBm6xdDzklynQ4SDYjnE5p2lzNWBiQnzV/KYDQpW/Nzt0z
Kk/6ZHkRShYjNxTABiG9CpuPi+70kYaFsE4BdVhiy6lRsOl+jtGIsF7oIFy06rDC
bpDWlheazflfGXo7MGX2Vb+E9r1MxClAi7Ye1//4nkeT/jpbx+dN83E15Z8uwS5e
mib+79g6Qwmy8bfTfuyiC36+XCbtsFhZkCnQWOkQNJEWg1FwxDJmsoWskN3kLXlx
hPufFQnHvEzBRjKmHBiowIiXG6/AfAE8f115ry44NTz0PyXcBpc=
=ZyjR
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to