Bug 31058 - mbedtls new security issue CVE-2022-35409
Summary: mbedtls new security issue CVE-2022-35409
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-10-31 15:44 CET by David Walser
Modified: 2022-11-08 20:45 CET (History)
4 users (show)

See Also:
Source RPM: mbedtls-2.28.0-1.mga9.src.rpm
Status comment:


Description David Walser 2022-10-31 15:44:16 CET
Fedora has issued an advisory on October 30:

Additionally, upstream has issued an advisory on July 11:

The issues are fixed upstream in 2.28.1:

Mageia 8 is also affected.
David Walser 2022-10-31 15:44:40 CET

Status comment: (none) => Fixed upstream in 2.28.1
Whiteboard: (none) => MGA8TOO

Rémi Verschelde 2022-10-31 23:05:44 CET


Comment 1 Rémi Verschelde 2022-10-31 23:25:18 CET
Submitted 2.28.1-1.mga9 to Cauldron.

For Mageia 8, it seems like the vulnerabilities might not be relevant for the previous 2.16.x LTS branch we're using.

For CVE-2021-45450 and CVE-2021-45451, Debian claims that the vulnerable code was introduced later:

Both are indeed vulnerabilities in `library/psa_crypto.c` which doesn't exist in Mageia 8's 2.16.12 (and I don't find corresponding code in other files).

For CVE-2022-35409, Debian says their 2.16.x packages are vulnerable: https://security-tracker.debian.org/tracker/CVE-2022-35409

That seems to be the case indeed (at least the affected code exists). Debian lists a ton of related commits but most are documentation, debug code or test cases. The actual vulnerability fix seems to be https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2

So I've backported this trivial patch to 2.16.12 for Mageia 8.
Advisory in next comment.
Comment 2 Rémi Verschelde 2022-10-31 23:31:57 CET
(As described above, the Mageia 8 update only fixes CVE-2022-35409, the other CVEs are not applicable as there's no PSA support in 2.16.x.)


Updated mbedtls packages fix security vulnerability

  An unauthenticated remote host could send an invalid ClientHello message in
  which the declared length of the cookie extends past the end of the message.
  A DTLS server with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled would read past
  the end of the message up to the declared length of the cookie. This could
  cause a buffer overread of up to 255 bytes on the heap in vulnerable DTLS
  servers, which may lead to a crash or to information disclosure via the
  cookie check function (CVE-2022-35409).

  This issue has been patched, backporting a fix from upstream's 2.28.0 release.


 - https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2022-07/
 - https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2

SRPM in mga8 core/updates_testing:


RPMs in mga8 core/updates_testing:


Assignee: rverschelde => qa-bugs
Version: Cauldron => 8
Summary: mbedtls new security issues CVE-2021-4545[01] and CVE-2022-35409 => mbedtls new security issue CVE-2022-35409
Whiteboard: MGA8TOO => (none)

David Walser 2022-11-01 00:04:42 CET

Status comment: Fixed upstream in 2.28.1 => (none)

Comment 3 Herman Viaene 2022-11-04 15:56:07 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed test from bug 29866, installed hiawatha and godot.
Made sure httpd is not running, then
# systemctl -l start hiawatha
point browser to localhost and get a nice page "
Installation successful

Congratulations! The Hiawatha webserver has successfully been installed on this system."
Started godot and could download some stuff, but as I have no affinity with games, I left it at that.
Good enough for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-11-04 22:53:18 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-11-08 15:42:00 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-11-08 20:45:59 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.