197067 2007-10-25 19:03 0000 dev-lang/mono < 1.2.5-r1 Buffer overflow in BigInteger (CVE-2007-5197) 2007-11-08 01:31:40 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B1 [glsa] P2 major --- 1 jaervosz@gentoo.org security@gentoo.org jaervosz@gentoo.org 2007-10-25 19:03:36 0000 Mono 1.2.5 (and earlier release) implementation of BigInteger is vulnerable to a buffer overflow in it's reduction step of the Montgomery-based Pow methods. While this affects the most recent Mono version this vulnerability is also present in all previous releases of Mono. The issue was found by a security audit (on an unnamed product) using Mono.Security.dll assembly done by IOActive. They also provided the patch to fix this issue. They want to coordinate the disclosure with us. jaervosz@gentoo.org 2007-10-25 19:05:58 0000 Created an attachment (id=134361) BigInteger_overflow-fix.diff jaervosz@gentoo.org 2007-10-25 19:10:45 0000 Jurek, if you want stable testing before the coordinated release date noted above please attach an updated ebuild to this bug. Do NOT commit anything yet. Also I'm not too familiar with mono so it might be in one of the other mono packages. jurek@gentoo.org 2007-10-25 22:08:37 0000 Does it mean they do not want upstream to be notified about this issue? Or have they already done it? Anyway, I'm all into pushing this forward. After applying the patch mono-1.2.5.1 builds fine, but I don't have any testcase to see if the problem is gone. Moreover, I'd also add latexer to CC list, cause he's the lead :). An updated ebuild and a patch that actually applies cleanly will follow jurek@gentoo.org 2007-10-25 22:09:44 0000 Created an attachment (id=134384) ebuild with patch applied jurek@gentoo.org 2007-10-25 22:10:12 0000 Created an attachment (id=134385) updated patch jaervosz@gentoo.org 2007-10-26 07:21:42 0000 Thx Jurek. Upstream have already been informed, I should have mentioned that in the first place. Arch security liaisons please test and report back on this bug. Do NOT commit anything yadayada:) py@gentoo.org 2007-11-02 22:47:04 0000 public now. Jurek, I think you can commit the corrected ebuild. Arches liaisons, did you get a chance to test it? jurek@gentoo.org 2007-11-03 00:39:05 0000 Done. We should also stabilize this ASAP. rbu@gentoo.org 2007-11-03 11:45:55 0000 Seems none of the liaisons tested it till now. Arches, please test and mark stable dev-lang/mono-1.2.5.1-r1. Target keywords : "amd64 ppc x86" rbu@gentoo.org 2007-11-03 23:55:06 0000 glsa filed. cla@gentoo.org 2007-11-04 09:34:41 0000 Stable on x86 dertobi123@gentoo.org 2007-11-06 17:28:07 0000 ppc stable wolf31o2@gentoo.org 2007-11-06 22:49:35 0000 amd64 done rbu@gentoo.org 2007-11-07 01:23:06 0000 GLSA filed. py@gentoo.org 2007-11-07 23:13:25 0000 GLSA 200711-10 134361 2007-10-25 19:05 0000 BigInteger_overflow-fix.diff BigInteger_overflow-fix.diff text/plain KioqIEJpZ0ludGVnZXIuY3Mub2xkCUZyaSBBdWcgMjQgMTM6MjM6MTUgMjAwNwotLS0gQmlnSW50 ZWdlci5jcwlGcmkgQXVnIDI0IDEzOjQzOjIyIDIwMDcKKioqKioqKioqKioqKioqCioqKiAxNjA3 LDE2MTMgKioqKgogIAkJCQkJCXVpbnQgaiA9IDE7CiAgCiAgCQkJCQkJLy8gTXVsdGlwbHkgYW5k IGFkZAohIAkJCQkJCWZvciAoOyBqIDwgbS5sZW5ndGg7IGorKykgewogIAkJCQkJCQljICs9ICh1 bG9uZyl1X2kgKiAodWxvbmcpKihtUCsrKSArICooYVNQKyspOwogIAkJCQkJCQkqKGFEUCsrKSA9 ICh1aW50KWM7CiAgCQkJCQkJCWMgPj49IDMyOwotLS0gMTYwNywxNjEzIC0tLS0KICAJCQkJCQl1 aW50IGogPSAxOwogIAogIAkJCQkJCS8vIE11bHRpcGx5IGFuZCBhZGQKISAJCQkJCQlmb3IgKDsg aiA8IG0ubGVuZ3RoICYmIGogPCBBLmxlbmd0aDsgaisrKSB7CiAgCQkJCQkJCWMgKz0gKHVsb25n KXVfaSAqICh1bG9uZykqKG1QKyspICsgKihhU1ArKyk7CiAgCQkJCQkJCSooYURQKyspID0gKHVp bnQpYzsKICAJCQkJCQkJYyA+Pj0gMzI7Cg== 134384 2007-10-25 22:09 0000 ebuild with patch applied mono-1.2.5.1-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA3IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2Rldi1sYW5nL21vbm8vbW9uby0xLjIuNS4xLmVi dWlsZCx2IDEuMSAyMDA3LzA5LzIwIDIzOjE4OjMxIGp1cmVrIEV4cCAkCgppbmhlcml0IGV1dGls cyBmbGFnLW8tbWF0aWMgbXVsdGlsaWIgYXV0b3Rvb2xzCgpERVNDUklQVElPTj0iTW9ubyBydW50 aW1lIGFuZCBjbGFzcyBsaWJyYXJpZXMsIGEgQyMgY29tcGlsZXIvaW50ZXJwcmV0ZXIiCkhPTUVQ QUdFPSJodHRwOi8vd3d3LmdvLW1vbm8uY29tIgpTUkNfVVJJPSJodHRwOi8vd3d3LmdvLW1vbm8u Y29tL3NvdXJjZXMvbW9uby8ke1B9LnRhci5iejIiCgpMSUNFTlNFPSJ8fCAoIEdQTC0yIExHUEwt MiBYMTEgKSIKU0xPVD0iMCIKS0VZV09SRFM9In5hbWQ2NCB+cHBjIH5zcGFyYyB+eDg2IH54ODYt ZmJzZCIKSVVTRT0iWCBucHRsIgoKUkRFUEVORD0iITxkZXYtZG90bmV0L3BuZXQtMC42LjEyCgkJ ID49ZGV2LWxpYnMvZ2xpYi0yLjYKCQkgbnB0bD8gKCA+PXN5cy1kZXZlbC9nY2MtMy4zLjUtcjEg KQoJCSBwcGM/CSgKCQkJCQk+PXN5cy1kZXZlbC9nY2MtMy4yLjMtcjQKCQkJCQk+PXN5cy1saWJz L2dsaWJjLTIuMy4zX3ByZTIwMDQwNDIwCgkJCQkpCgkJIFg/ICggPj1kZXYtZG90bmV0L2xpYmdk aXBsdXMtMS4yLjQgKSIKREVQRU5EPSIke1JERVBFTkR9CgkJICBzeXMtZGV2ZWwvYmMKCQk+PWRl di11dGlsL3BrZ2NvbmZpZy0wLjE5IgpQREVQRU5EPSJkZXYtZG90bmV0L3BlLWZvcm1hdCIKCiMg UGFyYWxsZWwgYnVpbGQgdW5mcmllbmRseQpNQUtFT1BUUz0iJHtNQUtFT1BUU30gLWoxIgoKUkVT VFJJQ1Q9InRlc3QiCgpmdW5jdGlvbiBnZXQtbWVtb3J5LXRvdGFsKCkgewoJY2F0IC9wcm9jL21l bWluZm8gfCBncmVwIE1lbVRvdGFsIHwgc2VkIC1yICJzL1teMC05XSooW1swLTldKykuKi9cMS8i Cn0KCnNyY191bnBhY2soKSB7Cgl1bnBhY2sgJHtBfQoJY2QgJHtTfQoKCSMgRml4IHRoZSBpbnN0 YWxsIHBhdGgsIGluc3RhbGwgaW50byAkKGxpYmRpcikKCXNlZCAtaSAtZSAnczokKHByZWZpeCkv bGliOiQobGliZGlyKTonICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAoJCS1p IC1lICdzOiQoZXhlY19wcmVmaXgpL2xpYjokKGxpYmRpcik6JyAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBcCgkJLWkgLWUgInM6J21vbm9fbGliZGlyPVwke2V4ZWNfcHJlZml4fS9saWIn OlwibW9ub19saWJkaXI9XCRsaWJkaXJcIjoiIFwKCQkke1N9L3tzY3JpcHRzLG1vbm8vbWV0YWRh dGF9L01ha2VmaWxlLmFtICR7U30vY29uZmlndXJlLmluICAgICAgICAgICAgXAoJfHwgZGllICJz ZWQgZmFpbGVkIgoKCXNlZCAtaSAtZSAnczpebGliZGlyLio6bGliZGlyPUBsaWJkaXJAOicgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAoJCS1pIC1lICdzOiR7cHJlZml4fS9saWIv OiR7bGliZGlyfS86ZycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCgkJJHtTfS97 c2NyaXB0cyx9LyoucGMuaW4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIFwKCXx8IGRpZSAic2VkIGZhaWxlZCIKCgllcGF0Y2ggJHtGSUxFU0RJUn0vJHtQTn0t MS4yLjQtcGljLnBhdGNoIHx8IGRpZSAicGF0Y2ggZmFpbGVkIgoKCSMgUmVtb3ZlIGR1bW15IGx0 Y29uZmlnIGFuZCBsZXQgbGlidG9vbCBoYW5kbGUgaXQKCXJtIC1mICR7U30vbGliZ2MvbHRjb25m aWcKCgllcGF0Y2ggJHtGSUxFU0RJUn0vbW9uby1iaWdpbnRlZ2VyX292ZXJmbG93LmRpZmYKCgll aW5mbyAiUmVnZW5lcmF0aW5nIHRoZSBidWlsZCBmaWxlcywgdGhpcyB3aWxsIHRha2Ugc29tZSB0 aW1lLi4uIgoJZWF1dG9yZWNvbmYKfQoKc3JjX2NvbXBpbGUoKSB7CgkjIG1vbm8ncyBidWlsZCBz eXN0ZW0gaXMgZmluaWt5LCBzdHJpcCB0aGUgZmxhZ3MKCXN0cmlwLWZsYWdzCgoJIyBFbmFibGUg dGhlIDIuMCBGWCwgdXNlIHRoZSBzeXN0ZW0gZ2xpYiBhbmQgdGhlIGdjCglsb2NhbCBteWNvbmY9 Ii0td2l0aC1wcmV2aWV3PXllcyAtLXdpdGgtZ2xpYj1zeXN0ZW0gLS13aXRoLWdjPWluY2x1ZGVk IgoKCSMgVGhyZWFkaW5nIHN1cHBvcnQKCWlmIHVzZSBhbWQ2NCB8fCB1c2UgbnB0bCA7IHRoZW4K CQkjIGZvcmNlIF9fdGhyZWFkIG9uIGFtZDY0IChidWcgIzgzNzcwKQoJCW15Y29uZj0iJHtteWNv bmZ9IC0td2l0aC10bHM9X190aHJlYWQiCgllbHNlCgkJbXljb25mPSIke215Y29uZn0gLS13aXRo LXRscz1wdGhyZWFkIgoJZmkKCgkjIEVuYWJsZSBsYXJnZSBoZWFwcyBpZiBtZW1vcnkgaXMgbW9y ZSB0aGFuID49M0dCCglpZiBbWyAkKGdldC1tZW1vcnktdG90YWwpIC1nZSAzMTQ1NzI4IF1dIDsg dGhlbgoJCW15Y29uZj0iJHtteWNvbmZ9IC0td2l0aC1sYXJnZS1oZWFwPXllcyIKCWZpCgoJIyBG b3JjZSB0aGUgdXNlIG9mIG1vbm9saXRlIG1jcyB0byBwcmV2ZW50IGlzc3VlcyB3aXRoIGNsYXNz bGlicyAoYnVnICMxMTgwNjIpCgl0b3VjaCAke1N9L21jcy9idWlsZC9kZXBzL3VzZS1tb25vbGl0 ZQoKCWVjb25mICR7bXljb25mfSB8fCBkaWUgImNvbmZpZ3VyZSBmYWlsZWQiCgllbWFrZSBFWFRF Uk5BTF9NQ1M9ZmFsc2UgRVhURVJOQUxfTU9OTz1mYWxzZQoKCWlmIFtbICIkPyIgLW5lICIwIiBd XTsgdGhlbgoJCWV3YXJuICJJZiB5b3UgYXJlIHVzaW5nIGFueSBoYXJkZW5pbmcgZmVhdHVyZXMg c3VjaCBhcyIKCQlld2FybiAiUElFK1NTUC9TRUxpbnV4L2dyc2VjL1BBWCB0aGVuIG1vc3QgcHJv YmFibHkgdGhpcyBpcyB0aGUgcmVhc29uIgoJCWV3YXJuICJ3aHkgYnVpbGQgaGFzIGZhaWxlZC4g SW4gdGhpcyBjYXNlIHR1cm4gYW55IGFjdGl2ZSBzZWN1cml0eSIKCQlld2FybiAiZW5oYW5jZW1l bnRzIG9mZiBhbmQgdHJ5IGVtZXJnaW5nIHRoZSBwYWNrYWdlIGFnYWluIgoJCWRpZQoJZmkKfQoK c3JjX3Rlc3QoKSB7Cgl2ZWNobyAiPj4+IFRlc3QgcGhhc2UgW2NoZWNrXTogJHtDQVRFR09SWX0v JHtQRn0iCgoJbWtkaXIgLXAgIiR7VH0vaG9tZS9tb25vIiB8fCBkaWUgIm1rZGlyIGhvbWUgZmFp bGVkIgoKCWV4cG9ydCBIT01FPSIke1R9L2hvbWUvbW9ubyIKCWV4cG9ydCBYREdfQ09ORklHX0hP TUU9IiR7VH0vaG9tZS9tb25vIgoJZXhwb3J0IFhER19EQVRBX0hPTUU9IiR7VH0vaG9tZS9tb25v IgoKCWlmICEgTENfQUxMPUMgZW1ha2UgLWoxIGNoZWNrOyB0aGVuCgkJaGFzcSB0ZXN0ICRGRUFU VVJFUyAmJiBkaWUgIk1ha2UgY2hlY2sgZmFpbGVkLiBTZWUgYWJvdmUgZm9yIGRldGFpbHMuIgoJ CWhhc3EgdGVzdCAkRkVBVFVSRVMgfHwgZWVycm9yICJNYWtlIGNoZWNrIGZhaWxlZC4gU2VlIGFi b3ZlIGZvciBkZXRhaWxzLiIKCWZpCn0KCnNyY19pbnN0YWxsKCkgewoJZW1ha2UgREVTVERJUj0i JHtEfSIgaW5zdGFsbCB8fCBkaWUgImluc3RhbGwgZmFpbGVkIgoKCWRvZG9jIEFVVEhPUlMgQ2hh bmdlTG9nIE5FV1MgUkVBRE1FCgoJZG9jaW50byBkb2NzCglkb2RvYyBkb2NzLyoKCglkb2NpbnRv IGxpYmdjCglkb2RvYyBsaWJnYy9DaGFuZ2VMb2cKfQo= 134385 2007-10-25 22:10 0000 updated patch mono-biginteger_overflow.diff text/plain LS0tIG1jcy9jbGFzcy9jb3JsaWIvTW9uby5NYXRoL0JpZ0ludGVnZXIuY3MJMjAwNy0wOS0xOSAx OTowNjowNi4wMDAwMDAwMDAgKzAyMDAKKysrIG1jcy9jbGFzcy9jb3JsaWIvTW9uby5NYXRoL0Jp Z0ludGVnZXIuY3MJMjAwNy0xMC0yNSAyMzo0Njo1NS4wMDAwMDAwMDAgKzAyMDAKQEAgLTE2MDcs NyArMTYwNyw3IEBACiAJCQkJCQl1aW50IGogPSAxOwogCiAJCQkJCQkvLyBNdWx0aXBseSBhbmQg YWRkCi0JCQkJCQlmb3IgKDsgaiA8IG0ubGVuZ3RoOyBqKyspIHsKKwkJCQkJCWZvciAoOyBqIDwg bS5sZW5ndGggJiYgaiA8IEEubGVuZ3RoOyBqKyspIHsKIAkJCQkJCQljICs9ICh1bG9uZyl1X2kg KiAodWxvbmcpKihtUCsrKSArICooYVNQKyspOwogCQkJCQkJCSooYURQKyspID0gKHVpbnQpYzsK IAkJCQkJCQljID4+PSAzMjsKLS0tIG1jcy9jbGFzcy9Nb25vLlNlY3VyaXR5L01vbm8uTWF0aC9C aWdJbnRlZ2VyLmNzCTIwMDctMDctMjQgMjM6NDg6NTAuMDAwMDAwMDAwICswMjAwCisrKyBtY3Mv Y2xhc3MvTW9uby5TZWN1cml0eS9Nb25vLk1hdGgvQmlnSW50ZWdlci5jcwkyMDA3LTEwLTI1IDIz OjQ1OjAxLjAwMDAwMDAwMCArMDIwMApAQCAtMTYwMSw3ICsxNjAxLDcgQEAKIAkJCQkJCXVpbnQg aiA9IDE7CiAKIAkJCQkJCS8vIE11bHRpcGx5IGFuZCBhZGQKLQkJCQkJCWZvciAoOyBqIDwgbS5s ZW5ndGg7IGorKykgeworCQkJCQkJZm9yICg7IGogPCBtLmxlbmd0aCAmJiBqIDwgQS5sZW5ndGg7 IGorKykgewogCQkJCQkJCWMgKz0gKHVsb25nKXVfaSAqICh1bG9uZykqKG1QKyspICsgKihhU1Ar Kyk7CiAJCQkJCQkJKihhRFArKykgPSAodWludCljOwogCQkJCQkJCWMgPj49IDMyOwo=