Bug 25808

Summary:	libtomcrypt new security issue CVE-2019-17362
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	brtians1, dan, geiger.david68210, sysadmin-bugs, tmb
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK MGA7-32-OK
Source RPM:	libtomcrypt-1.18.2-2.mga7.src.rpm	CVE:
Status comment:
Attachments:	C code and executable running against libtomcrypt

Description David Walser 2019-12-03 20:53:59 CET

openSUSE has issued an advisory on November 15:
https://lists.opensuse.org/opensuse-updates/2019-11/msg00093.html

Mageia 7 is also affected.

David Walser 2019-12-03 20:54:07 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2019-12-04 07:33:18 CET

Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-12-04 13:41:38 CET

Advisory:
========================

Updated libtomcrypt packages fix security vulnerability:

Improper detection of invalid UTF-8 sequences that could have led to DoS or
information disclosure via crafted DER-encoded data (CVE-2019-17362).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17362
https://lists.opensuse.org/opensuse-updates/2019-11/msg00093.html
========================

Updated packages in core/updates_testing:
========================
libtomcrypt1-1.18.2-2.1.mga7
libtomcrypt-devel-1.18.2-2.1.mga7

from libtomcrypt-1.18.2-2.1.mga7.src.rpm

Version: Cauldron => 7
Assignee: dan => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 Brian Rockwell 2019-12-05 18:46:28 CET

Created attachment 11384 [details]
C code and executable running against libtomcrypt

There is three C code modules I found on the internet that do a basic test.

Linke to example:  https://stackoverflow.com/questions/48506195/how-to-compile-run-c-code-to-invoke-libtomcrypt-aes-2kb-lookup-table-based-imple

Also included the compiled executable

to compile:

$ gcc -I/usr/include/tomcrypt aes_tom_example.c -o aes -ltomcrypt

to run:

./aes

CC: (none) => brtians1

Comment 4 Brian Rockwell 2019-12-06 01:25:19 CET

i586 - KDE

- libtomcrypt-devel-1.18.2-2.1.mga7.i586
- libtomcrypt1-1.18.2-2.1.mga7.i586
- libtommath-devel-1.1.0-1.mga7.i586


using the same code above on 32bit KDE the app segfaults.

Can someone in build confirm the above libs are 32bit?

Whiteboard: (none) => feedback

Comment 5 Brian Rockwell 2019-12-06 01:31:23 CET

64 bit works - I messed with the input characters

$ ./aes
original:	c a t   <   h e l l o   w o r l d !   >   a n e w f i l e 
encrypted:	7C EA 3B E6 98 8B 50 86 79 92 C7 D8 D3 C9 5F D0 
decrypted:	c a t   <   h e l l o   w o r l � � � � 


64bit works

Comment 6 Dan Fandrich 2019-12-06 22:59:05 CET

x86_64 works for me, too, in as far as dropbear still allows SSH connections.

CC: (none) => dan

Comment 7 Brian Rockwell 2020-01-07 17:30:01 CET

Is anyone going to confirm the 32bit library was built properly?  The failure was done after a fresh compile on the 32bit machine.  It shouldn't have failed.

Comment 8 David Walser 2020-01-07 17:33:17 CET

Well of course a 32-bit build is 32-bit, but I wonder if it is using CPU instructions that are not available on your system.  Does it work on a 32-bit VM or install on a 64-bit system?  Is the issue a regression?

Comment 9 Brian Rockwell 2020-01-09 03:09:46 CET

it was on a 32bit VM.  I had no problems with 64-bit.

I can test it on an older version later tomorrow probably.

Comment 10 Brian Rockwell 2020-01-09 15:30:25 CET

Prior version does work.

[biran@localhost Downloads]$  gcc -I/usr/include/tomcrypt aes_tom_example.c -o aes -ltomcrypt
[biran@localhost Downloads]$ ls -ltr
total 148
-rw-rw-r-- 1 biran biran 19412 Dec  5 10:43 aes.c
-rw-rw-r-- 1 biran biran 69870 Dec  5 10:48 aes_tab.c
-rw-rw-r-- 1 biran biran  1006 Dec  5 10:52 aes_tom_example.c
-rw-rw-r-- 1 biran biran 28812 Jan  9 08:12 aes_basic_test.zip
-rwxr-xr-x 1 biran biran 18700 Jan  9 08:14 aes*
[biran@localhost Downloads]$ ./aes
original:	h e l l o   w o r l d ! 
encrypted:	AE 21 D5 A5 5E D5 F1 EF 6D FC E5 30 60 34 3D 12 B7 
decrypted:	h e l l o   w o r l d ! 
[biran@localhost Downloads]$ 


I will re-test with new version.

Comment 11 Brian Rockwell 2020-01-09 15:34:42 CET

okay - installed the updates, tested the binary it worked.

I compiled it new

it worked.

So - I chalk this up to a screw-up on my part, go figure.  ;-)

approving both

Whiteboard: feedback => MGA7-64-OK MGA7-32-OK

Thomas Backlund 2020-01-11 23:07:43 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 12 Mageia Robot 2020-01-12 00:53:29 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0028.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED