| Summary: | libcryptopp new security issue CVE-2016-9939 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, marja11, mhrambo3501, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/710210/ | ||
| Whiteboard: | has_procedure MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | libcryptopp-5.6.3-4.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-12-13 12:40:35 CET
David Walser
2016-12-13 12:40:54 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
marja11 Found patches at https://github.com/weidai11/cryptopp/pull/347/files. Working on fixes for both cauldron and mga5. CC:
(none) =>
mrambo Patched package has been uploaded for both Cauldron and MGA5. Testing procedure https://bugs.mageia.org/show_bug.cgi?id=19381#c6 Advisory: ======================== Updated libcryptopp package fixes security vulnerability: When Crypto++ library parses an ASN.1 data value, the library allocates for the content octets based on the length octets. Later, if there's too few or too little content octets, the library throws a BERDecodeErr exception. The memory for the content octets will be zeroized (even if unused), which could take a long time on a large allocation (CVE-2016-9939). References: http://www.openwall.com/lists/oss-security/2016/12/12/7 https://github.com/weidai11/cryptopp/issues/346 ======================== Updated packages in core/updates_testing: ======================== lib64cryptopp6-5.6.3-1.3.mga5 lib64cryptopp-devel-5.6.3-1.3.mga5 libcryptopp-debuginfo-5.6.3-1.3.mga5 libcryptopp-progs-5.6.3-1.3.mga5 from libcryptopp-5.6.3-1.3.mga5.src.rpm Version:
Cauldron =>
5 MGA5-32 on Acer D620 Xfce Installation: the debuginfo package seems to be missing here All tests as per bug 19381 passed. CC:
(none) =>
herman.viaene Debian has issued an advisory for this today (December 26): https://lists.debian.org/debian-security-announce/2016/msg00332.html The DSA will be posted here: https://www.debian.org/security/2016/dsa-3748 URL:
(none) =>
https://lwn.net/Vulnerabilities/710210/ Added advisory as per Comment 3, but unsure whether I should have included the 2 'references' URLs in comment 5. CC:
(none) =>
lewyssmith Testing M5 64-bit real h/w Updated existing pkgs to: libcryptopp-progs-5.6.3-1.3.mga5 lib64cryptopp6-5.6.3-1.3.mga5 $ cryptest v > tmp/cryptest_v [the essential self-test, lots of output] $ less tmp/cryptest_v [to easily scan/search the output] Lots of "passed"; many "Failed tests = 0"; no other fail|FAIL|Fail. O/P ended traditionally with: "CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading" Update deemed OK. Validating; advisory already in place - without the 2 refs from Comment 5. Can add them if advised to do so (asked already). Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0010.html Status:
NEW =>
RESOLVED |