[mcrypt/el6] CVE-2012-4409
Tom Callaway
spot at fedoraproject.org
Fri Sep 7 16:51:35 UTC 2012
commit 98ee7dbce8caea95b9384c546298c80f29af425e
Author: Tom Callaway <spot at fedoraproject.org>
Date: Fri Sep 7 12:52:08 2012 -0400
CVE-2012-4409
mcrypt-2.6.8-manpage-typofixes.patch | 48 ++++++++++++++++++++++++++++++++++
mcrypt-2.6.8-no-gaa.patch | 14 ++++++++++
mcrypt-CVE-2012-4409.patch | 12 ++++++++
mcrypt.spec | 31 +++++++++++++++++++++-
4 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/mcrypt-2.6.8-manpage-typofixes.patch b/mcrypt-2.6.8-manpage-typofixes.patch
new file mode 100644
index 0000000..77cc024
--- /dev/null
+++ b/mcrypt-2.6.8-manpage-typofixes.patch
@@ -0,0 +1,48 @@
+diff -up ./doc/mcrypt.1.typos ./doc/mcrypt.1
+--- ./doc/mcrypt.1.typos 2012-08-17 14:38:40.368769281 -0400
++++ ./doc/mcrypt.1 2012-08-17 14:39:17.862769844 -0400
+@@ -81,7 +81,7 @@ two blocks in CBC and CFB modes, but onl
+ Mcrypt uses a 32 bit CRC to check for errors in the encrypted files.
+ .PP
+ .B Extra security:
+-For the very paranoid, if mcrypt is executed with superuser priviledges it
++For the very paranoid, if mcrypt is executed with superuser privileges it
+ ensures that no important data (keys etc.) are written to disk, as swap etc.
+ Keep in mind that mcrypt was not designed to be a setuid program, so you
+ shouldn't make it one.
+@@ -165,11 +165,11 @@ license and quit.
+ .TP
+ .B \-o --keymode MODE
+ MODE may be one of the keymodes listed by the --list-keymodes parameter.
+-It actually is the convertion to the key before it is fed to the algorithm.
++It actually is the conversion to the key before it is fed to the algorithm.
+ It is recommended to leave it as is, if you do not know what it is.
+ However if you still want to use this option, you might want to
+ use the 'hex' mode which allows you to specify the key in hex
+-(and no convertion will by applied).
++(and no conversion will be applied).
+ .TP
+ .B \-h --hash HASH_ALGORITHM
+ HASH_ALGORITHM may be one of the algorithms listed by the --list-hash parameter.
+@@ -194,10 +194,10 @@ The security lies on the algorithm not o
+ default. This flag must also be specified when decrypting a bare encrypted
+ file.
+ When the bare flag is specified decryption and encryption are faster. This
+-may be usefull when using mcrypt to encrypt a link or something like that.
++may be useful when using mcrypt to encrypt a link or something like that.
+ .TP
+ .B --flush
+-Flushes the output (ciphertext or plaintext) immediately. Usefull if mcrypt
++Flushes the output (ciphertext or plaintext) immediately. Useful if mcrypt
+ is used with pipes.
+ .TP
+ .B --time
+@@ -205,7 +205,7 @@ Prints some timing information (encrypti
+ .TP
+ .B --nodelete
+ When this option is specified mcrypt does not delete the output file, even
+-if decryption failed. This is usefull if you want to decrypt a corrupted
++if decryption failed. This is useful if you want to decrypt a corrupted
+ file.
+ .TP
+ .B \-q --quiet
diff --git a/mcrypt-2.6.8-no-gaa.patch b/mcrypt-2.6.8-no-gaa.patch
new file mode 100644
index 0000000..85dd91c
--- /dev/null
+++ b/mcrypt-2.6.8-no-gaa.patch
@@ -0,0 +1,14 @@
+diff -up mcrypt-2.6.8/src/Makefile.in.no-gaa mcrypt-2.6.8/src/Makefile.in
+--- mcrypt-2.6.8/src/Makefile.in.no-gaa 2012-09-07 12:49:01.351522013 -0400
++++ mcrypt-2.6.8/src/Makefile.in 2012-09-07 12:49:06.163523470 -0400
+@@ -518,8 +518,8 @@ uninstall-am: uninstall-binPROGRAMS
+
+ gaaout.o: gaaout.c
+ $(CC) -o gaaout.o -c gaaout.c $(INCLUDES) $(CFLAGS) $(CPPFLAGS) -I. -I..
+-gaaout.c: mcrypt.gaa
+- gaa -o gaaout.c -i gaa.h mcrypt.gaa
++# gaaout.c: mcrypt.gaa
++# gaa -o gaaout.c -i gaa.h mcrypt.gaa
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+ # Otherwise a system limit (for SysV at least) may be exceeded.
+ .NOEXPORT:
diff --git a/mcrypt-CVE-2012-4409.patch b/mcrypt-CVE-2012-4409.patch
new file mode 100644
index 0000000..747f428
--- /dev/null
+++ b/mcrypt-CVE-2012-4409.patch
@@ -0,0 +1,12 @@
+diff -up mcrypt-2.6.8/src/extra.c.CVE-2012-4409 mcrypt-2.6.8/src/extra.c
+--- mcrypt-2.6.8/src/extra.c.CVE-2012-4409 2012-09-07 11:00:55.906870746 -0400
++++ mcrypt-2.6.8/src/extra.c 2012-09-07 11:00:27.967858365 -0400
+@@ -242,6 +242,8 @@ int check_file_head(FILE * fstream, char
+ if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
+ *salt_size = m_setbit(0, sflag, 0);
+ if (*salt_size > 0) {
++ if (*salt_size > sizeof(tmp_buf))
++ err_quit(_("Salt is too long\n"));
+ fread(tmp_buf, 1, *salt_size,
+ fstream);
+ memmove(salt, tmp_buf, *salt_size);
diff --git a/mcrypt.spec b/mcrypt.spec
index d660913..21fb237 100644
--- a/mcrypt.spec
+++ b/mcrypt.spec
@@ -1,6 +1,6 @@
Name: mcrypt
Version: 2.6.8
-Release: 3%{?dist}
+Release: 9%{?dist}
License: GPLv3+
Group: Applications/System
Summary: Replacement for crypt()
@@ -19,6 +19,14 @@ Patch2: mcrypt-2.6.7-gaafix.patch
# Upstream:
# http://sourceforge.net/tracker/index.php?func=detail&aid=2075758&group_id=87941&atid=584895
Patch3: mcrypt-2.6.7-native-by-default.patch
+# Upstream:
+# https://sourceforge.net/tracker/index.php?func=detail&aid=3559099&group_id=87941&atid=584893
+Patch4: mcrypt-2.6.8-manpage-typofixes.patch
+# Fix for CVE-2012-4409
+# https://bugzilla.redhat.com/show_bug.cgi?id=855029
+Patch5: mcrypt-CVE-2012-4409.patch
+# No gaa in Fedora
+Patch6: mcrypt-2.6.8-no-gaa.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libmcrypt-devel, mhash-devel, gettext, zlib-devel
@@ -34,6 +42,9 @@ to encrypt files or data streams without having to be cryptographers.
%patch1 -p1 -b .format_strings
%patch2 -p1 -b .gaafix
%patch3 -p1 -b .native_by_default
+%patch4 -p1 -b .typos
+%patch5 -p1 -b .CVE-2012-4409
+%patch6 -p1 -b .no-gaa
%build
%configure
@@ -55,6 +66,24 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/*
%changelog
+* Fri Sep 7 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-9
+- don't try to use gaa
+
+* Fri Sep 7 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-8
+- apply fix for CVE-2012-4409 (thanks to Raphael Geissert)
+
+* Fri Aug 17 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-7
+- fix typos in manpage
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
More information about the scm-commits
mailing list