Bug 16996 - bouncycastle new security issue fixed upstream in 1.51 (CVE-2015-7940)
Summary: bouncycastle new security issue fixed upstream in 1.51 (CVE-2015-7940)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/663068/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Reported: 2015-10-22 18:55 CEST by David Walser
Modified: 2015-12-28 20:24 CET (History)
4 users (show)

See Also:
Source RPM: bouncycastle-1.50-3.mga5.src.rpm
Status comment:


Description David Walser 2015-10-22 18:55:59 CEST
A CVE has been requested for a security issue fixed in bouncycastle 1.51:

The upstream commits to fix the issue are also linked in the message above.


Steps to Reproduce:
David Walser 2015-10-22 18:56:12 CEST

CC: (none) => geiger.david68210, yann.cantin

Comment 1 David Walser 2015-10-22 20:45:31 CEST
CVE-2015-7940 has been assigned:

Summary: bouncycastle new security issue fixed upstream in 1.51 => bouncycastle new security issue fixed upstream in 1.51 (CVE-2015-7940)

Nicolas Lécureuil 2015-10-22 21:30:50 CEST


Comment 2 Yann Cantin 2015-10-22 23:36:13 CEST
Tested upstream commits as patchs, they don't apply cleanly on mga5 1.50 sources.
Comment 3 David Walser 2015-10-22 23:38:01 CEST
OK.  If it isn't easy enough to fix the patches to apply, then I guess we'll just have to update it to 1.51 or 1.52.
Comment 4 Nicolas Lécureuil 2015-10-22 23:41:50 CEST
tested too, the patches does not apply cleanly. Before updating we have to make there is no BIC
Comment 5 David Walser 2015-11-04 19:12:13 CET
OpenSuSE has issued an advisory for this today (November 4):

URL: (none) => http://lwn.net/Vulnerabilities/663068/

Comment 6 David Walser 2015-11-04 19:26:38 CET
(In reply to David Walser from comment #5)
> OpenSuSE has issued an advisory for this today (November 4):
> http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html

Also available at this URL:
Comment 7 David Walser 2015-12-15 18:12:39 CET
Debian has issued an advisory for this on December 14:

They added some patches backported to 1.49:
Comment 8 David GEIGER 2015-12-22 14:25:02 CET
CVE-2015-7940 should be fixed now for mga5 too, adding patch from Fedora 22 (Backport EC implementation from BC 1.51)

Also I added another patch from Fedora to fix buffer underflow (rhbz#1218258).
Comment 9 David Walser 2015-12-22 17:04:57 CET
Thanks David!


Updated bouncycastle packages fix security vulnerability:

The Bouncy Castle Java library before 1.51 does not validate a point is withing
the elliptic curve, which makes it easier for remote attackers to obtain
private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key
exchanges, aka an "invalid curve attack" (CVE-2015-7940).


Updated packages in core/updates_testing:

from bouncycastle-1.50-3.1.mga5.src.rpm

Assignee: mageia => qa-bugs

Comment 10 Len Lawrence 2015-12-26 13:23:59 CET
This one looks like a six month project.  As far as I can tell there are some test programs but it is not clear how you get hold of them or how they are run.  Definitely for someone expert in java and well-versed in the language used for instance in the documentation file at https://www.bouncycastle.org/documentation.html.  There seem to be various requirements like "you must use the signed jar for the provider" and "you must download the unrestricted policy files for the Sun JCE".  First you have to know what "provider" means.  Too obscure for me so over to the experts.

CC: (none) => tarazed25

Comment 11 David Walser 2015-12-26 13:34:43 CET
(In reply to Len Lawrence from comment #10)
> Too obscure for me so over to the experts.

Nope.  It's a Java package.  Just ensure that it upgrades cleanly.
Comment 12 Len Lawrence 2015-12-28 02:26:50 CET
mga5  x86_64  Mate

OK David.  That's done.

$ sudo urpmi bouncycastle
A requested package cannot be installed:
bouncycastle-1.50-3.mga5.noarch (in order to keep bouncycastle-1.50-3.1.mga5.noarch)
Continue installation anyway? (Y/n) n

# updatedb
# locate bouncycastle
Len Lawrence 2015-12-28 02:27:08 CET

Whiteboard: (none) => MGA5-64-OK

Comment 13 Len Lawrence 2015-12-28 02:38:12 CET
mga5  i586 vbox  Mate

The same package installs fine for 32-bit architecture.  Thought it worth checking.
bouncycastle search returned:

Validating this.  Please push to 5 updates.
Len Lawrence 2015-12-28 02:38:38 CET

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Len Lawrence 2015-12-28 02:38:51 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Rémi Verschelde 2015-12-28 13:24:30 CET

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 14 Mageia Robot 2015-12-28 20:24:32 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.