[mcrypt/el5] CVE-2012-4409

Tom Callaway spot at fedoraproject.org
Fri Sep 7 16:52:32 UTC 2012 

commit 9bbd3f1f2765617afe73f90dbf249cf0c75a24d9
Author: Tom Callaway <spot at fedoraproject.org>
Date:   Fri Sep 7 12:53:10 2012 -0400

    CVE-2012-4409

 mcrypt-2.6.8-manpage-typofixes.patch |   48 ++++++++++++++++++++++++++++++++++
 mcrypt-2.6.8-no-gaa.patch            |   14 ++++++++++
 mcrypt-CVE-2012-4409.patch           |   12 ++++++++
 mcrypt.spec                          |   37 +++++++++++++++++++++++++-
 4 files changed, 110 insertions(+), 1 deletions(-)
---
diff --git a/mcrypt-2.6.8-manpage-typofixes.patch b/mcrypt-2.6.8-manpage-typofixes.patch
new file mode 100644
index 0000000..77cc024
--- /dev/null
+++ b/mcrypt-2.6.8-manpage-typofixes.patch
@@ -0,0 +1,48 @@
+diff -up ./doc/mcrypt.1.typos ./doc/mcrypt.1
+--- ./doc/mcrypt.1.typos	2012-08-17 14:38:40.368769281 -0400
++++ ./doc/mcrypt.1	2012-08-17 14:39:17.862769844 -0400
+@@ -81,7 +81,7 @@ two blocks in CBC and CFB modes, but onl
+ Mcrypt uses a 32 bit CRC to check for errors in the encrypted files.
+ .PP
+ .B Extra security:
+-For the very paranoid, if mcrypt is executed with superuser priviledges it
++For the very paranoid, if mcrypt is executed with superuser privileges it
+ ensures that no important data (keys etc.) are written to disk, as swap etc.
+ Keep in mind that mcrypt was not designed to be a setuid program, so you
+ shouldn't make it one.
+@@ -165,11 +165,11 @@ license and quit.
+ .TP
+ .B \-o --keymode MODE
+ MODE may be one of the keymodes listed by the --list-keymodes parameter.
+-It actually is the convertion to the key before it is fed to the algorithm.
++It actually is the conversion to the key before it is fed to the algorithm.
+ It is recommended to leave it as is, if you do not know what it is.
+ However if you still want to use this option, you might want to
+ use the 'hex' mode which allows you to specify the key in hex
+-(and no convertion will by applied).
++(and no conversion will be applied).
+ .TP
+ .B \-h --hash HASH_ALGORITHM
+ HASH_ALGORITHM may be one of the algorithms listed by the --list-hash parameter.
+@@ -194,10 +194,10 @@ The security lies on the algorithm not o
+ default. This flag must also be specified when decrypting a bare encrypted 
+ file. 
+ When the bare flag is specified decryption and encryption are faster. This
+-may be usefull when using mcrypt to encrypt a link or something like that.
++may be useful when using mcrypt to encrypt a link or something like that.
+ .TP
+ .B --flush
+-Flushes the output (ciphertext or plaintext) immediately. Usefull if mcrypt
++Flushes the output (ciphertext or plaintext) immediately. Useful if mcrypt
+ is used with pipes.
+ .TP
+ .B --time
+@@ -205,7 +205,7 @@ Prints some timing information (encrypti
+ .TP
+ .B --nodelete
+ When this option is specified mcrypt does not delete the output file, even
+-if decryption failed. This is usefull if you want to decrypt a corrupted
++if decryption failed. This is useful if you want to decrypt a corrupted
+ file.
+ .TP
+ .B \-q --quiet
diff --git a/mcrypt-2.6.8-no-gaa.patch b/mcrypt-2.6.8-no-gaa.patch
new file mode 100644
index 0000000..85dd91c
--- /dev/null
+++ b/mcrypt-2.6.8-no-gaa.patch
@@ -0,0 +1,14 @@
+diff -up mcrypt-2.6.8/src/Makefile.in.no-gaa mcrypt-2.6.8/src/Makefile.in
+--- mcrypt-2.6.8/src/Makefile.in.no-gaa	2012-09-07 12:49:01.351522013 -0400
++++ mcrypt-2.6.8/src/Makefile.in	2012-09-07 12:49:06.163523470 -0400
+@@ -518,8 +518,8 @@ uninstall-am: uninstall-binPROGRAMS
+ 
+ gaaout.o: gaaout.c
+ 	$(CC) -o gaaout.o -c gaaout.c $(INCLUDES) $(CFLAGS) $(CPPFLAGS) -I. -I..
+-gaaout.c: mcrypt.gaa
+-	gaa -o gaaout.c -i gaa.h mcrypt.gaa
++# gaaout.c: mcrypt.gaa
++#	gaa -o gaaout.c -i gaa.h mcrypt.gaa
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+ # Otherwise a system limit (for SysV at least) may be exceeded.
+ .NOEXPORT:
diff --git a/mcrypt-CVE-2012-4409.patch b/mcrypt-CVE-2012-4409.patch
new file mode 100644
index 0000000..747f428
--- /dev/null
+++ b/mcrypt-CVE-2012-4409.patch
@@ -0,0 +1,12 @@
+diff -up mcrypt-2.6.8/src/extra.c.CVE-2012-4409 mcrypt-2.6.8/src/extra.c
+--- mcrypt-2.6.8/src/extra.c.CVE-2012-4409	2012-09-07 11:00:55.906870746 -0400
++++ mcrypt-2.6.8/src/extra.c	2012-09-07 11:00:27.967858365 -0400
+@@ -242,6 +242,8 @@ int check_file_head(FILE * fstream, char
+ 			if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
+ 				*salt_size = m_setbit(0, sflag, 0);
+ 				if (*salt_size > 0) {
++					if (*salt_size > sizeof(tmp_buf))
++						err_quit(_("Salt is too long\n"));
+ 					fread(tmp_buf, 1, *salt_size,
+ 					      fstream);
+ 					memmove(salt, tmp_buf, *salt_size);
diff --git a/mcrypt.spec b/mcrypt.spec
index 91eb2e8..21fb237 100644
--- a/mcrypt.spec
+++ b/mcrypt.spec
@@ -1,6 +1,6 @@
 Name:		mcrypt
 Version:	2.6.8
-Release:	1%{?dist}
+Release:	9%{?dist}
 License:	GPLv3+
 Group:		Applications/System
 Summary:	Replacement for crypt()
@@ -19,6 +19,14 @@ Patch2:		mcrypt-2.6.7-gaafix.patch
 # Upstream:
 # http://sourceforge.net/tracker/index.php?func=detail&aid=2075758&group_id=87941&atid=584895
 Patch3:		mcrypt-2.6.7-native-by-default.patch
+# Upstream: 
+# https://sourceforge.net/tracker/index.php?func=detail&aid=3559099&group_id=87941&atid=584893
+Patch4:		mcrypt-2.6.8-manpage-typofixes.patch
+# Fix for CVE-2012-4409
+# https://bugzilla.redhat.com/show_bug.cgi?id=855029
+Patch5:		mcrypt-CVE-2012-4409.patch
+# No gaa in Fedora
+Patch6:		mcrypt-2.6.8-no-gaa.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	libmcrypt-devel, mhash-devel, gettext, zlib-devel
 
@@ -34,6 +42,9 @@ to encrypt files or data streams without having to be cryptographers.
 %patch1 -p1 -b .format_strings
 %patch2 -p1 -b .gaafix
 %patch3 -p1 -b .native_by_default
+%patch4 -p1 -b .typos
+%patch5 -p1 -b .CVE-2012-4409
+%patch6 -p1 -b .no-gaa
 
 %build
 %configure
@@ -55,6 +66,30 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/*
 
 %changelog
+* Fri Sep  7 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-9
+- don't try to use gaa
+
+* Fri Sep  7 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-8
+- apply fix for CVE-2012-4409 (thanks to Raphael Geissert)
+
+* Fri Aug 17 2012 Tom Callaway <spot at fedoraproject.org> - 2.6.8-7
+- fix typos in manpage
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
 * Mon Nov 24 2008 Tom "spot" Callaway <tcallawa at redhat.com> - 2.6.8-1
 - update to 2.6.8

More information about the scm-commits mailing list