Bug 32247 - Security issue in libtommath 1.2.0
Summary: Security issue in libtommath 1.2.0
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2023-09-05 19:12 CEST by Dan Fandrich
Modified: 2023-09-25 00:18 CEST (History)
3 users (show)

See Also:
Source RPM: libtommath-1.2.1-1.mga9.src.rpm
CVE: CVE-2023-36328
Status comment:


Description Dan Fandrich 2023-09-05 19:12:54 CEST
Description of problem:
This version is affected by CVE-2023-36328. The CVE description:

Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). 

Version-Release number of selected component (if applicable):

How reproducible:
unknown exploitability
Dan Fandrich 2023-09-05 19:16:55 CEST

Component: RPM Packages => Security
Whiteboard: (none) => MGA8TOO
CVE: (none) => CVE-2023-36328
QA Contact: (none) => security

Comment 1 Dan Fandrich 2023-09-05 21:02:37 CEST
The subsequent release 1.2.1 only contains the fix for this, so I've updated to that version. These RPMs are now available in core/updates_testing (core/release in Cauldron) for testing:


Here is a regression test procedure that uses the dropbear server as a test application using libtommath:

$ sudo urpmi dropbear
$ sudo systemctl stop sshd.service
$ sudo systemctl start dropbear.service
$ ssh echo Working
=> should return "Working"

Proposed security advisory text for mga9:

Updated the dropbear package to fix a security vulnerability:

Dropbear is vulnerable to an Integer Overflow vulnerability that could allow attackers to execute arbitrary code and cause a denial of service (DoS).


Updated package in core/updates:

Source RPMs:

Keywords: (none) => advisory, has_procedure
Assignee: dan => qa-bugs

Comment 2 Herman Viaene 2023-09-08 12:17:34 CEST
I guessed the update for M8 would be libtommath-1.2.1-1.mga8, but not found in repos.

CC: (none) => herman.viaene

Comment 3 Dan Fandrich 2023-09-08 19:08:50 CEST
It's currently in core/updates_testing waiting for QA approval.
Comment 4 Herman Viaene 2023-09-16 11:25:04 CEST
Error: libtommath-1.2.1-1.mga8 not found in the remote repository
Comment 5 Herman Viaene 2023-09-16 11:30:08 CEST
The name should be lib(64)tommath1-1.2.1-1.mga8
Comment 6 Herman Viaene 2023-09-16 11:44:20 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Following Comment 1 after installing dropbear
# systemctl stop sshd
# systemctl -l status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:sshd(8)
# systemctl start dropbear
# systemctl -l status dropbear
● dropbear.service - Dropbear SSH Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; vendor preset: disabled)
     Active: active (running) since Sat 2023-09-16 11:38:01 CEST; 22s ago
    Process: 78966 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS)

$ ssh echo Working
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:pf4ffjtP8i3NsEkSmBTOUZDNOhoKpc1y4e5LZkdi40o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
tester8@'s password: 
/usr/bin/xauth:  file /home/tester8/.Xauthority does not exist
[tester8@mach7 Documents]$ ssh echo Working
tester8@'s password: 

So working OK.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 7 Dave Hodgins 2023-09-16 23:00:34 CEST
libtommath is the name of the 32 bit version as well as being the name
of the source rpm package.

Dan, please include the list of srpms, the 32 bit list of rpms and the
64 bit list of rpms separately in bug reports.

CC: (none) => davidwhodgins

Comment 8 Herman Viaene 2023-09-17 10:36:47 CEST
The current name in M8 repos is now libtommath1, is that wrong then???
Comment 9 Dave Hodgins 2023-09-17 15:57:22 CEST
x86_64 rpm list

i586 rpm list

srpm list
Comment 10 Dave Hodgins 2023-09-17 16:02:45 CEST
Same list for m8 but with mga8.
Comment 11 Dave Hodgins 2023-09-20 18:38:28 CEST
Tested using sshd on both m8 and m9. Validating.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Dave Hodgins 2023-09-20 23:03:54 CEST
Dan, in future please do not add the advisory keyword. It shouldn't be added
until the advisory has been committed to svn. It's now there.

The advisory in svn must be formatted for use by the script that pushes updates
and publishes the advisory to the public.
Comment 13 Mageia Robot 2023-09-25 00:18:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.