Version in base suite: 2.0.30-2+deb11u1 Base version: php-phpseclib_2.0.30-2+deb11u1 Target version: php-phpseclib_2.0.30-2+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-phpseclib/php-phpseclib_2.0.30-2+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-phpseclib/php-phpseclib_2.0.30-2+deb11u2.dsc /srv/release.debian.org/tmp/0WE_QhL3z2/php-phpseclib-2.0.30/debian/patches/0030-ASN1-limit-OID-length.patch |binary php-phpseclib-2.0.30/debian/changelog | 12 + php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch | 76 ++++++++++ php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch | 48 ++++++ php-phpseclib-2.0.30/debian/patches/0031-Tests-updates-for-phpseclib-2.0.patch | 22 ++ php-phpseclib-2.0.30/debian/patches/0032-BigInteger-phpseclib-2.0-updates.patch | 29 +++ php-phpseclib-2.0.30/debian/patches/0033-BigInteger-fix-getLength.patch | 31 ++++ php-phpseclib-2.0.30/debian/patches/series | 6 php-phpseclib-2.0.30/debian/source/include-binaries | 1 9 files changed, 225 insertions(+) diff -Nru php-phpseclib-2.0.30/debian/changelog php-phpseclib-2.0.30/debian/changelog --- php-phpseclib-2.0.30/debian/changelog 2023-12-31 14:36:22.000000000 +0000 +++ php-phpseclib-2.0.30/debian/changelog 2024-02-27 20:15:41.000000000 +0000 @@ -1,3 +1,15 @@ +php-phpseclib (2.0.30-2+deb11u2) bullseye; urgency=medium + + * Backport upstream fixes + - BigInteger: put guardrails on isPrime() and randomPrime() [CVE-2024-27354] + - BigInteger: rm visibility modifiers from static variables + - ASN1: limit OID length [CVE-2024-27355] + - Tests: updates for phpseclib 2.0 + - BigInteger: phpseclib 2.0 updates + - BigInteger: fix getLength() + + -- David Prévot Tue, 27 Feb 2024 21:15:41 +0100 + php-phpseclib (2.0.30-2+deb11u1) bullseye-security; urgency=medium * Backport upstream SSH2 changes diff -Nru php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch --- php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-phpseclib-2.0.30/debian/patches/0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch 2024-02-27 20:15:41.000000000 +0000 @@ -0,0 +1,76 @@ +From: terrafrost +Date: Fri, 23 Feb 2024 08:57:22 -0600 +Subject: BigInteger: put guardrails on isPrime() and randomPrime() + +Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27354 +--- + phpseclib/Math/BigInteger.php | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php +index 9df0bf0..bbe7c86 100644 +--- a/phpseclib/Math/BigInteger.php ++++ b/phpseclib/Math/BigInteger.php +@@ -729,6 +729,33 @@ class BigInteger + return $result; + } + ++ /** ++ * Return the size of a BigInteger in bits ++ * ++ * @return int ++ */ ++ function getLength() ++ { ++ if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) { ++ return strlen($this->toBits()); ++ } ++ ++ $max = count($this->value) - 1; ++ return $max != -1 ? ++ $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) : ++ 0; ++ } ++ ++ /** ++ * Return the size of a BigInteger in bytes ++ * ++ * @return int ++ */ ++ function getLengthInBytes() ++ { ++ return ceil($this->getLength() / 8); ++ } ++ + /** + * Copy an object + * +@@ -3237,6 +3264,11 @@ class BigInteger + $min = $temp; + } + ++ $length = $max->getLength(); ++ if ($length > 8196) { ++ user_error('Generation of random prime numbers larger than 8196 has been disabled'); ++ } ++ + static $one, $two; + if (!isset($one)) { + $one = new static(1); +@@ -3344,7 +3376,14 @@ class BigInteger + */ + function isPrime($t = false) + { +- $length = strlen($this->toBytes()); ++ $length = $this->getLength(); ++ // OpenSSL limits RSA keys to 16384 bits. The length of an RSA key is equal to the length of the modulo, which is ++ // produced by multiplying the primes p and q by one another. The largest number two 8196 bit primes can produce is ++ // a 16384 bit number so, basically, 8196 bit primes are the largest OpenSSL will generate and if that's the largest ++ // that it'll generate it also stands to reason that that's the largest you'll be able to test primality on ++ if ($length > 8196) { ++ user_error('Primality testing is not supported for numbers larger than 8196 bits'); ++ } + + if (!$t) { + // see HAC 4.49 "Note (controlling the error probability)" diff -Nru php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch --- php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-phpseclib-2.0.30/debian/patches/0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch 2024-02-27 20:15:41.000000000 +0000 @@ -0,0 +1,48 @@ +From: terrafrost +Date: Fri, 23 Feb 2024 21:55:47 -0600 +Subject: BigInteger: rm visibility modifiers from static variables + +the non static variables don't have privacy modifiers so idk that +the static ones ought to either. phpseclib 3.0 uses privacy +modifiers but not the 2.0 branch + +Origin: upstream, https://github.com/phpseclib/phpseclib/commit/2124f399b430f67c3e51211a6e5db6dee8f2cec4 +--- + phpseclib/Math/BigInteger.php | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php +index bbe7c86..9934323 100644 +--- a/phpseclib/Math/BigInteger.php ++++ b/phpseclib/Math/BigInteger.php +@@ -163,23 +163,23 @@ class BigInteger + * + * @see __construct() + */ +- protected static $base; +- protected static $baseFull; +- protected static $maxDigit; +- protected static $msb; ++ static $base; ++ static $baseFull; ++ static $maxDigit; ++ static $msb; + + /** + * $max10 in greatest $max10Len satisfying + * $max10 = 10**$max10Len <= 2**$base. + */ +- protected static $max10; ++ static $max10; + + /** + * $max10Len in greatest $max10Len satisfying + * $max10 = 10**$max10Len <= 2**$base. + */ +- protected static $max10Len; +- protected static $maxDigit2; ++ static $max10Len; ++ static $maxDigit2; + /**#@-*/ + + /** Binary files /srv/release.debian.org/tmp/LVM4irVQDZ/php-phpseclib-2.0.30/debian/patches/0030-ASN1-limit-OID-length.patch and /srv/release.debian.org/tmp/0WE_QhL3z2/php-phpseclib-2.0.30/debian/patches/0030-ASN1-limit-OID-length.patch differ diff -Nru php-phpseclib-2.0.30/debian/patches/0031-Tests-updates-for-phpseclib-2.0.patch php-phpseclib-2.0.30/debian/patches/0031-Tests-updates-for-phpseclib-2.0.patch --- php-phpseclib-2.0.30/debian/patches/0031-Tests-updates-for-phpseclib-2.0.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-phpseclib-2.0.30/debian/patches/0031-Tests-updates-for-phpseclib-2.0.patch 2024-02-27 20:15:41.000000000 +0000 @@ -0,0 +1,22 @@ +From: terrafrost +Date: Sat, 24 Feb 2024 13:26:33 -0600 +Subject: Tests: updates for phpseclib 2.0 + +Origin: upstream, https://github.com/phpseclib/phpseclib/commit/0777e700b966b68287081cdb83e89834b846f84a +--- + tests/Unit/File/ASN1Test.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/Unit/File/ASN1Test.php b/tests/Unit/File/ASN1Test.php +index 486809a..0d255a1 100644 +--- a/tests/Unit/File/ASN1Test.php ++++ b/tests/Unit/File/ASN1Test.php +@@ -453,7 +453,7 @@ class Unit_File_ASN1Test extends PhpseclibTestCase + { + $cert = file_get_contents(dirname(__FILE__) . '/ASN1/mal-cert-02.der'); + +- $asn1 = new File_ASN1(); ++ $asn1 = new ASN1(); + //$this->setExpectedException('PHPUnit_Framework_Error_Notice'); + $decoded = $asn1->decodeBER($cert); + $this->assertFalse($decoded[0]); diff -Nru php-phpseclib-2.0.30/debian/patches/0032-BigInteger-phpseclib-2.0-updates.patch php-phpseclib-2.0.30/debian/patches/0032-BigInteger-phpseclib-2.0-updates.patch --- php-phpseclib-2.0.30/debian/patches/0032-BigInteger-phpseclib-2.0-updates.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-phpseclib-2.0.30/debian/patches/0032-BigInteger-phpseclib-2.0-updates.patch 2024-02-27 20:15:41.000000000 +0000 @@ -0,0 +1,29 @@ +From: terrafrost +Date: Sat, 24 Feb 2024 13:29:02 -0600 +Subject: BigInteger: phpseclib 2.0 updates + +Origin: upstream, https://github.com/phpseclib/phpseclib/commit/2870c8fab3f132d2ed40a66c97a36fe5ab625698 +--- + phpseclib/Math/BigInteger.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php +index 9934323..3e650b6 100644 +--- a/phpseclib/Math/BigInteger.php ++++ b/phpseclib/Math/BigInteger.php +@@ -736,13 +736,13 @@ class BigInteger + */ + function getLength() + { +- if (MATH_BIGINTEGER_MODE != MATH_BIGINTEGER_MODE_INTERNAL) { ++ if (MATH_BIGINTEGER_MODE != self::MODE_INTERNAL) { + return strlen($this->toBits()); + } + + $max = count($this->value) - 1; + return $max != -1 ? +- $max * MATH_BIGINTEGER_BASE + ceil(log($a->value[$max] + 1, 2)) : ++ $max * self::$base + ceil(log($a->value[$max] + 1, 2)) : + 0; + } + diff -Nru php-phpseclib-2.0.30/debian/patches/0033-BigInteger-fix-getLength.patch php-phpseclib-2.0.30/debian/patches/0033-BigInteger-fix-getLength.patch --- php-phpseclib-2.0.30/debian/patches/0033-BigInteger-fix-getLength.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-phpseclib-2.0.30/debian/patches/0033-BigInteger-fix-getLength.patch 2024-02-27 20:15:41.000000000 +0000 @@ -0,0 +1,31 @@ +From: terrafrost +Date: Sat, 24 Feb 2024 14:15:49 -0600 +Subject: BigInteger: fix getLength() + +Origin: backport, https://github.com/phpseclib/phpseclib/commit/c55b75199ec8d12cec6eadf6da99da4a3712fe56 +--- + phpseclib/Math/BigInteger.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/phpseclib/Math/BigInteger.php b/phpseclib/Math/BigInteger.php +index 3e650b6..82e1029 100644 +--- a/phpseclib/Math/BigInteger.php ++++ b/phpseclib/Math/BigInteger.php +@@ -742,7 +742,7 @@ class BigInteger + + $max = count($this->value) - 1; + return $max != -1 ? +- $max * self::$base + ceil(log($a->value[$max] + 1, 2)) : ++ $max * self::$base + intval(ceil(log($this->value[$max] + 1, 2))) : + 0; + } + +@@ -753,7 +753,7 @@ class BigInteger + */ + function getLengthInBytes() + { +- return ceil($this->getLength() / 8); ++ return (int) ceil($this->getLength() / 8); + } + + /** diff -Nru php-phpseclib-2.0.30/debian/patches/series php-phpseclib-2.0.30/debian/patches/series --- php-phpseclib-2.0.30/debian/patches/series 2023-12-31 14:36:22.000000000 +0000 +++ php-phpseclib-2.0.30/debian/patches/series 2024-02-27 20:15:41.000000000 +0000 @@ -25,3 +25,9 @@ 0025-SSH2-add-support-for-RFC8308.patch 0026-SSH2-implement-terrapin-attack-countermeasures.patch 0027-phpcbf-run.patch +0028-BigInteger-put-guardrails-on-isPrime-and-randomPrime.patch +0029-BigInteger-rm-visibility-modifiers-from-static-varia.patch +0030-ASN1-limit-OID-length.patch +0031-Tests-updates-for-phpseclib-2.0.patch +0032-BigInteger-phpseclib-2.0-updates.patch +0033-BigInteger-fix-getLength.patch diff -Nru php-phpseclib-2.0.30/debian/source/include-binaries php-phpseclib-2.0.30/debian/source/include-binaries --- php-phpseclib-2.0.30/debian/source/include-binaries 1970-01-01 00:00:00.000000000 +0000 +++ php-phpseclib-2.0.30/debian/source/include-binaries 2024-02-27 20:15:41.000000000 +0000 @@ -0,0 +1 @@ +debian/patches/0030-ASN1-limit-OID-length.patch