Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 258011

Summary: sci-misc/boinc: "RSA_public_decrypt()" Spoofing Vulnerability
Product: Gentoo Security Reporter: Matti Bickel (RETIRED) <mabi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: scarabeus
Priority: High Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://boinc.berkeley.edu/trac/ticket/823
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
RSA_Spoofing_Vulnerability.patch
none
New ebuild for boinc-6.4.5 with RSA patch
none
/var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out none

Description Matti Bickel (RETIRED) gentoo-dev 2009-02-07 12:13:50 UTC 
From the redhat bug linked to from URL:

The Berkeley Open Infrastructure for Network Computing (BOINC) client software
incorrectly checked the result after calling the RSA_public_decrypt function,
allowing a malformed signature to be treated as a good signature rather
than as an error.  This issue affected the signature checks on RSA keys used
with SSL/TLS.

We are WAY behind upstream, and they released an updated version. Can you give us a new shiny BOINC?
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2009-02-07 12:15:52 UTC 
Adjusting severity, setting to B4
Comment 2 Tomáš Chvátal (RETIRED) gentoo-dev 2009-02-08 21:57:07 UTC 
Ok guys, i would love to bump but they didnt create the new version, but i can patch the tree or actualy any of you can do it in meantime, i am without tree.
so this changeset is this:
http://boinc.berkeley.edu/trac/changeset/16883
just create patch and you will be fine i guess.
Comment 3 Pierrot Rey 2009-02-14 05:55:11 UTC 
Is it possible to make this patch, thank you in advance.
Comment 4 Pierrot Rey 2009-02-15 07:50:33 UTC 
Created attachment 182099 [details]
RSA_Spoofing_Vulnerability.patch
Comment 5 Pierrot Rey 2009-02-15 07:51:44 UTC 
Created attachment 182100 [details]
New ebuild for boinc-6.4.5 with RSA patch
Comment 6 Pierrot Rey 2009-02-15 07:56:30 UTC 
I created the patch and a new ebuilb to implement it, I tested it with me its working. Calculate it!
Comment 7 Tomáš Chvátal (RETIRED) gentoo-dev 2009-02-16 19:47:40 UTC 
Revision bumped with applied patch.
Removed afected version.
So it is really just up to you Security guys :P
Comment 8 Matti Bickel (RETIRED) gentoo-dev 2009-02-16 22:08:42 UTC 
Thanks. I could have sworn that there was a stable boinc somewhere. But sources.g.o says otherwise.

Rerating ~4, then. As there was no previous version stable, security won't call for stable markings. All users will get your update anyway (seeing that you removed all other versions).

Either way, there's no glsa for this. Thanks for the swift reaction!
Comment 9 Martin Walch 2009-02-17 00:02:17 UTC 
 * Applying 6.4.5-RSA_security.patch ...

 * Failed Patch: 6.4.5-RSA_security.patch !
 *  ( /usr/portage/sci-misc/boinc/files/6.4.5-RSA_security.patch )
 *
 * Include in your bugreport the contents of:
 *
 *   /var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out
Comment 10 Martin Walch 2009-02-17 00:03:04 UTC 
Created attachment 182292 [details]
/var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out
Comment 11 Matti Bickel (RETIRED) gentoo-dev 2009-02-17 04:53:07 UTC 
Back to ebuild
Comment 12 Tomáš Chvátal (RETIRED) gentoo-dev 2009-02-17 16:40:12 UTC 
I dont get it why it did this but now it should work ;]
Comment 13 Greg Trigg 2009-02-17 17:24:29 UTC 
(In reply to comment #10)
> Created an attachment (id=182292) [edit]
> /var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out
> 
I ran into this as well.
Comment 14 Tomáš Chvátal (RETIRED) gentoo-dev 2009-02-17 17:29:48 UTC 
(In reply to comment #13)
> (In reply to comment #10)
> > Created an attachment (id=182292) [edit]
> > /var/tmp/portage/sci-misc/boinc-6.4.5-r1/temp/6.4.5-RSA_security.patch-9434.out
> > 
> I ran into this as well.
> 

Wait for your mirror to catch up, and sync.
Comment 15 Matti Bickel (RETIRED) gentoo-dev 2009-02-18 10:45:43 UTC 
Still no GLSA needed.
Comment 16 Martin Walch 2009-02-19 10:30:22 UTC 
Yes, it's working now after sync about two hours ago.