A CVE has been assigned for a security issue in libcryptopp: http://www.openwall.com/lists/oss-security/2016/12/12/7 I don't believe a fix is available yet. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Found patches at https://github.com/weidai11/cryptopp/pull/347/files. Working on fixes for both cauldron and mga5.
CC: (none) => mrambo
Patched package has been uploaded for both Cauldron and MGA5. Testing procedure https://bugs.mageia.org/show_bug.cgi?id=19381#c6 Advisory: ======================== Updated libcryptopp package fixes security vulnerability: When Crypto++ library parses an ASN.1 data value, the library allocates for the content octets based on the length octets. Later, if there's too few or too little content octets, the library throws a BERDecodeErr exception. The memory for the content octets will be zeroized (even if unused), which could take a long time on a large allocation (CVE-2016-9939). References: http://www.openwall.com/lists/oss-security/2016/12/12/7 https://github.com/weidai11/cryptopp/issues/346 ======================== Updated packages in core/updates_testing: ======================== lib64cryptopp6-5.6.3-1.3.mga5 lib64cryptopp-devel-5.6.3-1.3.mga5 libcryptopp-debuginfo-5.6.3-1.3.mga5 libcryptopp-progs-5.6.3-1.3.mga5 from libcryptopp-5.6.3-1.3.mga5.src.rpm
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => has_procedure
MGA5-32 on Acer D620 Xfce Installation: the debuginfo package seems to be missing here All tests as per bug 19381 passed.
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
Debian has issued an advisory for this today (December 26): https://lists.debian.org/debian-security-announce/2016/msg00332.html The DSA will be posted here: https://www.debian.org/security/2016/dsa-3748
URL: (none) => https://lwn.net/Vulnerabilities/710210/
Added advisory as per Comment 3, but unsure whether I should have included the 2 'references' URLs in comment 5.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Testing M5 64-bit real h/w Updated existing pkgs to: libcryptopp-progs-5.6.3-1.3.mga5 lib64cryptopp6-5.6.3-1.3.mga5 $ cryptest v > tmp/cryptest_v [the essential self-test, lots of output] $ less tmp/cryptest_v [to easily scan/search the output] Lots of "passed"; many "Failed tests = 0"; no other fail|FAIL|Fail. O/P ended traditionally with: "CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading" Update deemed OK. Validating; advisory already in place - without the 2 refs from Comment 5. Can add them if advised to do so (asked already).
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0010.html
Status: NEW => RESOLVEDResolution: (none) => FIXED