Bug 19305 - libtomcrypt new security issue CVE-2016-6129
Summary: libtomcrypt new security issue CVE-2016-6129
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/699804/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-09-07 19:50 CEST by David Walser
Modified: 2016-11-06 14:37 CET (History)
5 users (show)

See Also:
Source RPM: libtomcrypt-1.17-9.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-09-07 19:50:24 CEST
Debian-LTS has issued an advisory today (September 7):
http://lwn.net/Alerts/699791/

Mageia 5 is also affected.
David Walser 2016-09-07 19:50:34 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-09-08 11:12:07 CEST
Assigning to maintainer.

CC: (none) => marja11
Assignee: bugsquad => dan

Comment 2 David GEIGER 2016-10-31 08:28:50 CET
Fixed for both mga5 and cauldron!

CC: (none) => geiger.david68210

Comment 3 David Walser 2016-10-31 16:10:27 CET
Thanks David!

libtomcrypt is used by dropbear, which can be used for testing.

Advisory:
========================

Updated libtomcrypt packages fix security vulnerability:

It was discovered that the implementation of RSA signature verification in
libtomcrypt is vulnerable to the Bleichenbacher signature attack. If an RSA key
with exponent 3 is used it may be possible to forge a PKCS#1 v1.5 signature
signed by that key (CVE-2016-6129).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6129
http://lwn.net/Alerts/699791/
========================

Updated packages in core/updates_testing:
========================
libtomcrypt0-1.17-7.1.mga5
libtomcrypt-devel-1.17-7.1.mga5

from libtomcrypt-1.17-7.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: dan => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 4 Herman Viaene 2016-11-02 11:45:43 CET
MGA55-32 on Acer D620 Xfce
No installation issues
Used at cli:
$ strace -o dropbear.txt dbclient <user>@<host>
to connect to other MGA5 desktop
Got connected and could display the contents of the users home with "ls"
found in trace:
open("/lib/libtomcrypt.so.0", O_RDONLY|O_CLOEXEC) = 3
So OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 5 Lewis Smith 2016-11-03 08:03:12 CET
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 6 Lewis Smith 2016-11-06 12:34:32 CET
Testing M5 x64 real hardware.

Installed the pre-pdate 'libtomcrypt0', which pulled in a couple of other pkgs. Played with it on my single box to see what would happen.

As normal user in a terminal:
 $ dbclient normal_user@localhost
First usage said 'localhost' was not in the permitted host list, but continue anyway? Did so, it asked for the user login, and that worked. Not sure whether to exit or logout, both worked.
 $ dbclient root@localhost
Asked for but refused (asked 5 times) the relevant password, then aborted:
 dbclient: Connection to root@localhost:22 exited: Disconnect received

As root in a terminal:
 # dbclient normal_user@localhost
asked again about 'localhost' not in its list, but continued when asked to. Then asked for the user password, and that logged in and functioned OK.

UPDATEd to: lib64tomcrypt0-1.17-7.1.mga5

 $ strace -o dropbear.txt dbclient root@localhost
Refused & aborted as previously. No strace file.

 # strace -o tmp/dropbear.txt dbclient lewis@localhost
 lewis@localhost's password: 
 Last login: Sun Nov  6 11:53:27 2016 from localhost.localdomain
 $ logout
The strace file contained:
 open("/lib64/libtomcrypt.so.0", O_RDONLY|O_CLOEXEC) = 3

Unsure of the significance of all this, but following Herman: OK.
Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2016-11-06 14:37:52 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0369.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.