Bug 23660 - mbedtls new security issues CVE-2018-0497 and CVE-2018-0498
Summary: mbedtls new security issues CVE-2018-0497 and CVE-2018-0498
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2018-10-09 23:46 CEST by David Walser
Modified: 2018-11-03 12:56 CET (History)
10 users (show)

See Also:
Source RPM: mbedtls-2.7.3-3.mga7.src.rpm
Status comment:


Description David Walser 2018-10-09 23:46:23 CEST
Upstream has issued an advisory on July 25:

The issues were fixed in 2.7.5:

2.7.6 was also released on September 10, fixing a minor security issue:

Debian has issued an advisory for this on September 16:

Mageia 6 is also affected.
David Walser 2018-10-09 23:46:43 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-10 06:14:05 CEST
Assigning to all packagers collectively, since the registered maintainer for this package is currently unavailable.

Also CC'ing some committers & the registered maintainer.

CC: (none) => geiger.david68210, marja11, oe, rverschelde, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2018-10-12 22:35:29 CEST
Updated package uploaded for cauldron and Mageia 6.


Updated mbedtls package fixes security vulnerabilities:

Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels (CVE-2018-0497).

Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions (CVE-2018-0498).

Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing (no CVE assigned).


Updated packages in core/updates_testing:

from mbedtls-2.7.6-1.mga6.src.rpm

Test procedure: https://bugs.mageia.org/show_bug.cgi?id=20561#c3

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
CC: (none) => mrambo
Keywords: (none) => has_procedure
Version: Cauldron => 6

Comment 3 Len Lawrence 2018-10-19 17:44:35 CEST
Mageia 6, x86_64

No PoCs found for the CVEs.
Ran self-test:
$ mbedtls-selftest

  MD5 test #1: passed
  Executed 23 test suites
  [ All tests PASS ]

Updated the packages:
$ mbedtls-selftest
  MD5 test #1: passed
  AES-GCM-256 #5 split (enc): passed
  AES-GCM-256 #5 split (dec): passed
  X.509 certificate load: passed
  X.509 signature verify: passed
  TIMING test #1 (set_alarm / get_timer): passed
  TIMING test #2 (set/get_delay        ): passed
  TIMING test #3 (hardclock / get_timer): passed
  Executed 23 test suites
  [ All tests PASS ]

Passing this for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 4 David Walser 2018-10-19 18:34:06 CEST
Always make sure you test a package that uses a library and not just its own tools, to make sure it hasn't broken binary compatibility.
Comment 5 Len Lawrence 2018-10-20 02:37:57 CEST
Thanks for the headsup David.  It looks like hiawatha is a candidate - tomorrow.

Whiteboard: MGA6-64-OK => (none)

Comment 6 Len Lawrence 2018-10-20 12:05:12 CEST
Testing hiawatha.
Removed mbedtls and support library.
Stopped apache.
Installed hiawatha and noted that mbedtls and lib64mbedtls10 were required.
Update mbdedtls and the library again and started hiawatha under strace.  Visited various sites in firefox then closed down hiawatha.  No sign of mbedtls interaction in the trace however.

Have to leave it there.  Know nothing about dolphin-emu or shadowsocks.
Reinstating the 64-bit OK.

Whiteboard: (none) => MGA6-64-OK

Comment 7 Thomas Andrews 2018-11-02 20:02:44 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-11-03 12:04:37 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-11-03 12:56:32 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.