Fwd: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and down level remediation
9 views
Skip to first unread message
Jeffrey Walton
Sep 19, 2016, 12:04:49 PM9/19/16
to Crypto++ Users List
FYI... We sent this to oss-security, various security teams and our
maintatiners.
---------- Forwarded message ----------
From: Jeffrey Walton <nolo...@gmail.com>
Date: Mon, Sep 19, 2016 at 10:32 AM
Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and
down level remediation
To: <redacted>
Hi Everyone,
Crypto++ 5.6.5 will be released within a month or so to remediate the
information disclosure from CVE-2016-742. Distros will need to patch
Crypto++ 5.6.4 and below. The following provides more information and
procedures we recommend for down level Crypto++.
We re-engineered the "debugging and diagnostic" support area because
documenting the behaviors did *not* reduce the risk; rather it simply
moved the blame around. You can see the staged changes at
https://github.com/weidai11/cryptopp/issues/277#issuecomment-247829210.
We believe the best course of action for a distro is to render the
asserts inert in Crypto++ 5.6.4 and below because they are expected to
be removed by NDEBUG. However a simple sed and 's|<exp>||g' won't
work as expected.
If you have any problems or questions, then please email me or call
me. My cell number is <redacted>. My home number is
<redacted>. Distros get special treatment because they are so
important to the ecosystem.
My apologies for the inconvenience and trouble this has caused.
Jeff
**********
To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following.
1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip
this step).
(a) Add CRYPTOPP_UNSED macro to config.h
#define CRYPTOPP_UNSED(x) ((void)(x))
2. Change every assert() to CRYPTOPP_UNUSED()
(a) replace en masse
(b) find with sed or grep and 'assert[[:space:]]*('
3. Verify changes
(a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
(b) should only see compile-time assert
4. Test changes
(a) 'make clean && make -j 4'
(b) './cryptest.exe v'
5. Update the package
(a) rebuild the library and package it
- all asserts rendered inert
(b) rebuild all dependent packages
- asserts in Crypto++ headers could cross-pollinate
**********
Procedures performed on Crypto++ 5.6.2:
# Prepare
$ git clone https://github.com/weidai11/cryptopp cryptopp-assert
$ cd cryptopp-assert
$ git checkout CRYPTOPP_5_6_2
# Step 1 (Add)
$ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h
# Step 2 (Replace)
$ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp
# Step 3 (Verify)
$ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
#define CRYPTOPP_COMPILE_ASSERT(assertion)
CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__)
#define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance)
# Step 4 (Test)
$ make clean && make -j 4
$ ./cryptest.exe v # Tail should report no failures
# Step 5 (Repackage)
...
maintatiners.
---------- Forwarded message ----------
From: Jeffrey Walton <nolo...@gmail.com>
Date: Mon, Sep 19, 2016 at 10:32 AM
Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and
down level remediation
To: <redacted>
Hi Everyone,
Crypto++ 5.6.5 will be released within a month or so to remediate the
information disclosure from CVE-2016-742. Distros will need to patch
Crypto++ 5.6.4 and below. The following provides more information and
procedures we recommend for down level Crypto++.
We re-engineered the "debugging and diagnostic" support area because
documenting the behaviors did *not* reduce the risk; rather it simply
moved the blame around. You can see the staged changes at
https://github.com/weidai11/cryptopp/issues/277#issuecomment-247829210.
We believe the best course of action for a distro is to render the
asserts inert in Crypto++ 5.6.4 and below because they are expected to
be removed by NDEBUG. However a simple sed and 's|<exp>||g' won't
work as expected.
If you have any problems or questions, then please email me or call
me. My cell number is <redacted>. My home number is
<redacted>. Distros get special treatment because they are so
important to the ecosystem.
My apologies for the inconvenience and trouble this has caused.
Jeff
**********
To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following.
1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip
this step).
(a) Add CRYPTOPP_UNSED macro to config.h
#define CRYPTOPP_UNSED(x) ((void)(x))
2. Change every assert() to CRYPTOPP_UNUSED()
(a) replace en masse
(b) find with sed or grep and 'assert[[:space:]]*('
3. Verify changes
(a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
(b) should only see compile-time assert
4. Test changes
(a) 'make clean && make -j 4'
(b) './cryptest.exe v'
5. Update the package
(a) rebuild the library and package it
- all asserts rendered inert
(b) rebuild all dependent packages
- asserts in Crypto++ headers could cross-pollinate
**********
Procedures performed on Crypto++ 5.6.2:
# Prepare
$ git clone https://github.com/weidai11/cryptopp cryptopp-assert
$ cd cryptopp-assert
$ git checkout CRYPTOPP_5_6_2
# Step 1 (Add)
$ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h
# Step 2 (Replace)
$ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp
# Step 3 (Verify)
$ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
#define CRYPTOPP_COMPILE_ASSERT(assertion)
CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__)
#define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance)
# Step 4 (Test)
$ make clean && make -j 4
$ ./cryptest.exe v # Tail should report no failures
# Step 5 (Repackage)
...
Reply all
Reply to author
Forward
0 new messages