Bug 32247

Summary: Security issue in libtommath 1.2.0
Product: Mageia Reporter: Dan Fandrich <dan>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36328
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: libtommath-1.2.1-1.mga9.src.rpm CVE: CVE-2023-36328
Status comment:

Description Dan Fandrich 2023-09-05 19:12:54 CEST 
Description of problem:
This version is affected by CVE-2023-36328. The CVE description:

Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). 

Version-Release number of selected component (if applicable):
1.2.0

How reproducible:
unknown exploitability
Dan Fandrich 2023-09-05 19:16:55 CEST

Component: RPM Packages => Security
Whiteboard: (none) => MGA8TOO
CVE: (none) => CVE-2023-36328
QA Contact: (none) => security

Comment 1 Dan Fandrich 2023-09-05 21:02:37 CEST 
The subsequent release 1.2.1 only contains the fix for this, so I've updated to that version. These RPMs are now available in core/updates_testing (core/release in Cauldron) for testing:

libtommath-1.2.1-1.mga10
libtommath-1.2.1-1.mga9
libtommath-1.2.1-1.mga8

Here is a regression test procedure that uses the dropbear server as a test application using libtommath:

$ sudo urpmi dropbear
$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh 127.0.0.1 echo Working
=> should return "Working"

Proposed security advisory text for mga9:

========================
Updated the dropbear package to fix a security vulnerability:

Dropbear is vulnerable to an Integer Overflow vulnerability that could allow attackers to execute arbitrary code and cause a denial of service (DoS).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36328
https://github.com/libtom/libtommath/pull/546

Updated package in core/updates:
libtommath-1.2.1-1.mga9

Source RPMs:
libtommath-1.2.1-1.mga9.src.rpm

Keywords: (none) => advisory, has_procedure
Status: NEW => ASSIGNED
Assignee: dan => qa-bugs

Comment 2 Herman Viaene 2023-09-08 12:17:34 CEST 
I guessed the update for M8 would be libtommath-1.2.1-1.mga8, but not found in repos.

CC: (none) => herman.viaene

Comment 3 Dan Fandrich 2023-09-08 19:08:50 CEST 
It's currently in core/updates_testing waiting for QA approval.
Comment 4 Herman Viaene 2023-09-16 11:25:04 CEST 
Error: libtommath-1.2.1-1.mga8 not found in the remote repository
Comment 5 Herman Viaene 2023-09-16 11:30:08 CEST 
The name should be lib(64)tommath1-1.2.1-1.mga8
Comment 6 Herman Viaene 2023-09-16 11:44:20 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Following Comment 1 after installing dropbear
# systemctl stop sshd
# systemctl -l status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:sshd(8)
             man:sshd_config(5)
# systemctl start dropbear
# systemctl -l status dropbear
● dropbear.service - Dropbear SSH Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled)
     Active: active (running) since Sat 2023-09-16 11:38:01 CEST; 22s ago
    Process: 78966 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS)
etc.....

$ ssh 127.0.0.1 echo Working
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:pf4ffjtP8i3NsEkSmBTOUZDNOhoKpc1y4e5LZkdi40o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
tester8@127.0.0.1's password: 
/usr/bin/xauth:  file /home/tester8/.Xauthority does not exist
Working
[tester8@mach7 Documents]$ ssh 127.0.0.1 echo Working
tester8@127.0.0.1's password: 
Working

So working OK.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 7 Dave Hodgins 2023-09-16 23:00:34 CEST 
libtommath is the name of the 32 bit version as well as being the name
of the source rpm package.

Dan, please include the list of srpms, the 32 bit list of rpms and the
64 bit list of rpms separately in bug reports.

CC: (none) => davidwhodgins

Comment 8 Herman Viaene 2023-09-17 10:36:47 CEST 
The current name in M8 repos is now libtommath1, is that wrong then???
Comment 9 Dave Hodgins 2023-09-17 15:57:22 CEST 
x86_64 rpm list
lib64tommath-devel-1.2.1-1.mga9
lib64tommath1-1.2.1-1.mga9

i586 rpm list
libtommath1-1.2.1-1.mga9
libtommath-devel-1.2.1-1.mga9

srpm list
libtommath-1.2.0-4.mga9.src.rpm
Comment 10 Dave Hodgins 2023-09-17 16:02:45 CEST 
Same list for m8 but with mga8.
Comment 11 Dave Hodgins 2023-09-20 18:38:28 CEST 
Tested using sshd on both m8 and m9. Validating.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Dave Hodgins 2023-09-20 23:03:54 CEST 
Dan, in future please do not add the advisory keyword. It shouldn't be added
until the advisory has been committed to svn. It's now there.
https://svnweb.mageia.org/advisories/32247.adv?view=log

The advisory in svn must be formatted for use by the script that pushes updates
and publishes the advisory to the public.
Comment 13 Mageia Robot 2023-09-25 00:18:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0265.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED