Fwd: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and down level remediation

[Jeffrey Walton <noloader () gmail com>]

---------- Forwarded message ----------
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, Sep 19, 2016 at 10:32 AM
Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and
down level remediation
To: <redacted; maintainers and distros>

Hi Everyone,

Crypto++ 5.6.5 will be released within a month or so to remediate the
information disclosure from CVE-2016-742. Distros will need to patch
Crypto++ 5.6.4 and below. The following provides more information and
procedures we recommend for down level Crypto++.

We re-engieered the "debugging and diagnostic" support area because
documenting the behaviors did *not* reduce the risk; rather it simply
moved the blame around. You can see the staged changes at
https://github.com/weidai11/cryptopp/issues/277#issuecomment-247829210
.

We believe the best course of action for a distor is to make the
asserts inert in Crypto++ 5.6.4 and below because they are expected to
be removed by NDEBUG. However and simple sed and 's|<exp>||g' won't
work as expected.

If you have any problems or questions, then please email me or call
me. My cell number is <redacted>. My home number is
<redacted>. Distros get special treatment because they are so
important to the ecosystem.

My apologies for the inconvenience and trouble this has caused.

Jeff

**********

To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following.

1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip
this step).

    (a) Add CRYPTOPP_UNSED macro to config.h

     #define CRYPTOPP_UNSED(x) ((void)(x))

2. Change every assert() to CRYPTOPP_UNUSED()

    (a) replace en masse
    (b) find with sed or grep and 'assert[[:space:]]*('

3. Verify changes

    (a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
    (b) should only see compile-time assert

4. Test changes

    (a) 'make clean && make -j 4'
    (b) './cryptest.exe v'

5. Update the package

    (a) rebuild the library and package it
          - all asserts rendered inert
    (b) rebuild all dependent packages
          - asserts in Crypto++ headers could cross-pollinate

**********

Procedures performed on Crypto++ 5.6.2:

# Prepare
$ git clone https://github.com/weidai11/cryptopp cryptopp-assert
$ cd cryptopp-assert
$ git checkout CRYPTOPP_5_6_2

# Step 1 (Add)
$ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h

# Step 2 (Replace)
$ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp

# Step 3 (Verify)
$ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
#define CRYPTOPP_COMPILE_ASSERT(assertion)
CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, __LINE__)
#define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance)

# Step 4 (Test)
$ make clean && make -j 4
$ ./cryptest.exe v   # Tail should report no failures

# Step 5 (Repackage)
...