[release-22.05] botan2: Fix CVE-2022-43705

[mweinelt]

Backports security patches and regression tests. A complete fix would require an API change that is scheduled for the 3.0 release, which is out of scope.

GHSA-4v9w-qvcq-6q7w

Fixes: CVE-2022-43705

List of patches via https://security-tracker.debian.org/tracker/CVE-2022-43705

cc #204194

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[mweinelt]

Applying patches for the tests was kinda pointless, when we don't run them in the first place. And there seem to be unrelated failing ones as well.

[LeSuisse]

nixpkgs-review happy on x86_64.

Patches looks OK/appropriate.

Result of nixpkgs-review pr 204288 run on x86_64-linux 1

8 packages built:

• biboumi
• botan2
• corectrl
• kea
• keepassxc
• monotone
• rnp
• softhsm

Result of nixpkgs-review pr 204288 run on x86_64-linux 1

8 packages built:

• biboumi
• botan2
• corectrl
• kea
• keepassxc
• monotone
• rnp
• softhsm

[risicle]

If it's anything like unstable, enabling the tests was a simple matter of doCheck = true which we can easily run just for testing.

[mweinelt]

If it's anything like unstable, enabling the tests was a simple matter of doCheck = true which we can easily run just for testing.

I tried that and unrelated things failed. Let me prepare the diff between the two test runs though. All tests print their durations 😞

[mweinelt]

release-22.05

[...]
botan-aarch64-linux> OCSP request check w/o next_update w/o max_age ran 9 tests all ok
botan-aarch64-linux> OCSP request check w/o next_update with max_age ran 9 tests all ok
botan-aarch64-linux> OCSP request check with next_update w/o max_age ran 12 tests all ok
botan-aarch64-linux> OCSP request check with next_update with max_age ran 12 tests all ok
botan-aarch64-linux> OCSP request encoding ran 3 tests all ok
botan-aarch64-linux> OCSP request softfail check ran 3 tests all ok
botan-aarch64-linux> OCSP response certificate access ran 3 tests all ok
botan-aarch64-linux> OCSP response parsing ran 7 tests all ok
[...]
botan-aarch64-linux> Tests complete ran 2706551 tests in 15.93 sec 10 tests failed

this branch

[...]
botan-aarch64-linux> OCSP request check w/o next_update w/o max_age ran 9 tests all ok
botan-aarch64-linux> OCSP request check w/o next_update with max_age ran 9 tests all ok
botan-aarch64-linux> OCSP request check with next_update w/o max_age ran 12 tests all ok
botan-aarch64-linux> OCSP request check with next_update with max_age ran 12 tests all ok
botan-aarch64-linux> OCSP request encoding ran 3 tests all ok
botan-aarch64-linux> OCSP request softfail check ran 3 tests all ok
botan-aarch64-linux> OCSP response certificate access ran 3 tests all ok
botan-aarch64-linux> OCSP response parsing ran 7 tests all ok
[...]
botan-aarch64-linux> x509_path_with_ocsp:
botan-aarch64-linux> x509_path_with_ocsp ran 1 tests 1 FAILED
botan-aarch64-linux> Failure 1: Test error Error reading from src/tests/data/x509/ocsp/bdr-ocsp-resp.der
[...]
botan-aarch64-linux> Tests complete ran 2706542 tests in 17.21 sec 11 tests failed

Looks like we're missing an artifact.

[risicle]

Ok so the existing failures all seem to be Test error Fixed output RNG ran out of bytes, test bug?, which I'm not worried about.

A new test fails with Failure 1: Test error Error reading from src/tests/data/x509/ocsp/bdr-ocsp-resp.der ... so have we missed a file somewhere?

[mweinelt]

We patch it in via randombit/botan@c2faa88 but it's missing right now, still searching.

Oh no. It is a binary horror story! 🤡 I suddenly lost all interest in getting this test running.

cc #204320

[risicle]

I can do it...

[risicle]

(even if we don't commit it)

[mweinelt]

Feel free if you're bored. Looking at filterdiff right now to understand why we are in this pickle.

[risicle]

Yeah last I looked basically none of the patch tools work with binary sections except git, and we don't want fetchpatch to depend on git.

[risicle]

Ok, I've got the (new) tests passing, see my commit @ risicle@8752459 if anyone wants to try it.

Don't suggest you include the doCheck = true; because there are still 10 failing tests from before.

[risicle]

nixpkgs-review happy, macos 10.15, nixos x86_64 & aarch64-linux