Description of problem:
This version is affected by CVE-2023-36328. The CVE description:
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).
Version-Release number of selected component (if applicable):
RPM Packages =>
The subsequent release 1.2.1 only contains the fix for this, so I've updated to that version. These RPMs are now available in core/updates_testing (core/release in Cauldron) for testing:
Here is a regression test procedure that uses the dropbear server as a test application using libtommath:
$ sudo urpmi dropbear
$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh 127.0.0.1 echo Working
=> should return "Working"
Proposed security advisory text for mga9:
Updated the dropbear package to fix a security vulnerability:
Dropbear is vulnerable to an Integer Overflow vulnerability that could allow attackers to execute arbitrary code and cause a denial of service (DoS).
Updated package in core/updates:
I guessed the update for M8 would be libtommath-1.2.1-1.mga8, but not found in repos.
It's currently in core/updates_testing waiting for QA approval.
Error: libtommath-1.2.1-1.mga8 not found in the remote repository
The name should be lib(64)tommath1-1.2.1-1.mga8
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Following Comment 1 after installing dropbear
# systemctl stop sshd
# systemctl -l status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: inactive (dead)
# systemctl start dropbear
# systemctl -l status dropbear
● dropbear.service - Dropbear SSH Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2023-09-16 11:38:01 CEST; 22s ago
Process: 78966 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS)
$ ssh 127.0.0.1 echo Working
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:pf4ffjtP8i3NsEkSmBTOUZDNOhoKpc1y4e5LZkdi40o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
/usr/bin/xauth: file /home/tester8/.Xauthority does not exist
[tester8@mach7 Documents]$ ssh 127.0.0.1 echo Working
So working OK.
libtommath is the name of the 32 bit version as well as being the name
of the source rpm package.
Dan, please include the list of srpms, the 32 bit list of rpms and the
64 bit list of rpms separately in bug reports.
The current name in M8 repos is now libtommath1, is that wrong then???
x86_64 rpm list
i586 rpm list
Same list for m8 but with mga8.
Tested using sshd on both m8 and m9. Validating.
MGA8TOO MGA8-64-OK =>
MGA8TOO MGA8-64-OK MGA9-64-OKKeywords:
Dan, in future please do not add the advisory keyword. It shouldn't be added
until the advisory has been committed to svn. It's now there.
The advisory in svn must be formatted for use by the script that pushes updates
and publishes the advisory to the public.
An update for this issue has been pushed to the Mageia Updates repository.