[Git][security-tracker-team/security-tracker][master] 2 commits: dla: claim phpseclib/php-phpseclib

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
159ff561 by Sylvain Beucler at 2022-11-04T17:28:34+01:00
dla: claim phpseclib/php-phpseclib

- - - - -
02cd83d1 by Sylvain Beucler at 2022-11-04T17:28:36+01:00
CVE-2021-30130/phpseclib,php-phpseclib: attempt to clarify

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -113150,16 +113150,16 @@ CVE-2021-30131
 	RESERVED
 CVE-2021-30130 (phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1. ...)
 	- phpseclib 1.0.19-3
-	[stretch] - phpseclib <not-affected> (Only affects 3.x branch)
 	- php-phpseclib 2.0.30-2
-	[stretch] - php-phpseclib <not-affected> (Only affects 3.x branch)
 	- php-phpseclib3 3.0.7-1
 	NOTE: https://github.com/phpseclib/phpseclib/pull/1635#issuecomment-826994890
 	NOTE: Introduced by: https://github.com/phpseclib/phpseclib/commit/cc32cd2e95b18a0c0118bbf1928327675c9e64a9 (v3.0 / RSA::SIGNATURE_RELAXED_PKCS1)
-	NOTE: According to upstream, 1.x and 2.x are not vulnerable, the fix on these branches only backports more exhaustive PKCS#1 v1.5 support (functional change)
-	NOTE: According to upstream, 1.x and 2.x have the problem described as "incompatibility issue in phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5
-	NOTE: signature verification suffering from rejecting valid signatures whose encoded message uses implicit hash algorithm's NULL parameter." but
-	NOTE: this is not considered as a security problem.
+	NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/05550b9c490bf342bce66de75d127d2f75c48bdd (1.0.20, 2.0.31, 3.0.7)
+	NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/42fc46e9a92c2ce5b10d2fbfb00b630417d6dfbe (3.0.7)
+	NOTE: According to upstream in #1635, "v2.0 does not have a vulnerability" (only non-security bugs).
+	NOTE: However, a lot of identical fixes were applied to all 1.x/2.x/3.x branches upstream.
+	NOTE: They were also backported in bullseye/testing in 1.x/2.x (claimed as a CVE-2021-30130 fix).
+	NOTE: Given the broad scope of this CVE description, let's assume that those fixes are needed in 1.x/2.x.
 CVE-2021-30129 (A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to ...)
 	NOT-FOR-US: Apache Mina SSHD
 CVE-2021-30128 (Apache OFBiz has unsafe deserialization prior to 17.12.07 version ...)


=====================================
data/dla-needed.txt
=====================================
@@ -172,7 +172,7 @@ openexr
   NOTE: 20220904: Programming language: C++.
   NOTE: 20220904: Should be synced with Stretch. (apo)
 --
-php-phpseclib
+php-phpseclib (Sylvain Beucler)
   NOTE: 20220909: Programming language: PHP.
   NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix..
 --
@@ -180,7 +180,7 @@ php7.3
   NOTE: 20221031: Programming language: C.
   NOTE: 20221031: CVE-2022-37454 is what is of most concern.
 --
-phpseclib
+phpseclib (Sylvain Beucler)
   NOTE: 20220909: Programming language: PHP.
   NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix..
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52f7600f1f4db8114a8d5f39f112447777df1423...02cd83d1d917dc5964440185226aa11e40058546

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52f7600f1f4db8114a8d5f39f112447777df1423...02cd83d1d917dc5964440185226aa11e40058546
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221104/8ae02774/attachment-0001.htm>