openSUSE has issued an advisory on November 15: https://lists.opensuse.org/opensuse-updates/2019-11/msg00093.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated libtomcrypt packages fix security vulnerability: Improper detection of invalid UTF-8 sequences that could have led to DoS or information disclosure via crafted DER-encoded data (CVE-2019-17362). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17362 https://lists.opensuse.org/opensuse-updates/2019-11/msg00093.html ======================== Updated packages in core/updates_testing: ======================== libtomcrypt1-1.18.2-2.1.mga7 libtomcrypt-devel-1.18.2-2.1.mga7 from libtomcrypt-1.18.2-2.1.mga7.src.rpm
Version: Cauldron => 7Assignee: dan => qa-bugsWhiteboard: MGA7TOO => (none)
Created attachment 11384 [details] C code and executable running against libtomcrypt There is three C code modules I found on the internet that do a basic test. Linke to example: https://stackoverflow.com/questions/48506195/how-to-compile-run-c-code-to-invoke-libtomcrypt-aes-2kb-lookup-table-based-imple Also included the compiled executable to compile: $ gcc -I/usr/include/tomcrypt aes_tom_example.c -o aes -ltomcrypt to run: ./aes
CC: (none) => brtians1
i586 - KDE - libtomcrypt-devel-1.18.2-2.1.mga7.i586 - libtomcrypt1-1.18.2-2.1.mga7.i586 - libtommath-devel-1.1.0-1.mga7.i586 using the same code above on 32bit KDE the app segfaults. Can someone in build confirm the above libs are 32bit?
Whiteboard: (none) => feedback
64 bit works - I messed with the input characters $ ./aes original: c a t < h e l l o w o r l d ! > a n e w f i l e encrypted: 7C EA 3B E6 98 8B 50 86 79 92 C7 D8 D3 C9 5F D0 decrypted: c a t < h e l l o w o r l � � � � 64bit works
x86_64 works for me, too, in as far as dropbear still allows SSH connections.
CC: (none) => dan
Is anyone going to confirm the 32bit library was built properly? The failure was done after a fresh compile on the 32bit machine. It shouldn't have failed.
Well of course a 32-bit build is 32-bit, but I wonder if it is using CPU instructions that are not available on your system. Does it work on a 32-bit VM or install on a 64-bit system? Is the issue a regression?
it was on a 32bit VM. I had no problems with 64-bit. I can test it on an older version later tomorrow probably.
Prior version does work. [biran@localhost Downloads]$ gcc -I/usr/include/tomcrypt aes_tom_example.c -o aes -ltomcrypt [biran@localhost Downloads]$ ls -ltr total 148 -rw-rw-r-- 1 biran biran 19412 Dec 5 10:43 aes.c -rw-rw-r-- 1 biran biran 69870 Dec 5 10:48 aes_tab.c -rw-rw-r-- 1 biran biran 1006 Dec 5 10:52 aes_tom_example.c -rw-rw-r-- 1 biran biran 28812 Jan 9 08:12 aes_basic_test.zip -rwxr-xr-x 1 biran biran 18700 Jan 9 08:14 aes* [biran@localhost Downloads]$ ./aes original: h e l l o w o r l d ! encrypted: AE 21 D5 A5 5E D5 F1 EF 6D FC E5 30 60 34 3D 12 B7 decrypted: h e l l o w o r l d ! [biran@localhost Downloads]$ I will re-test with new version.
okay - installed the updates, tested the binary it worked. I compiled it new it worked. So - I chalk this up to a screw-up on my part, go figure. ;-) approving both
Whiteboard: feedback => MGA7-64-OK MGA7-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0028.html
Status: NEW => RESOLVEDResolution: (none) => FIXED