Bug 197067 - dev-lang/mono < 1.2.5-r1 Buffer overflow in BigInteger (CVE-2007-5197)
Bug#: 197067 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL: 
Summary: dev-lang/mono < 1.2.5-r1 Buffer overflow in BigInteger (CVE-2007-5197)
Keywords:  
Status Whiteboard: B1 [glsa]
Opened: 2007-10-25 19:03 0000
Description:   Opened: 2007-10-25 19:03 0000 
Mono 1.2.5 (and earlier release) implementation of BigInteger is vulnerable to
a buffer overflow in it's reduction step of the Montgomery-based Pow methods.

While this affects the most recent Mono version this vulnerability is also
present in all previous releases of Mono.

The issue was found by a security audit (on an unnamed product) using
Mono.Security.dll assembly done by IOActive. They also provided the patch to
fix this issue. They want to coordinate the disclosure with us.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-10-25 19:05:58 0000 ------- 
Created an attachment (id=134361) [details]
BigInteger_overflow-fix.diff

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-10-25 19:10:45 0000 ------- 
Jurek, if you want stable testing before the coordinated release date noted
above please attach an updated ebuild to this bug. Do NOT commit anything yet.
Also I'm not too familiar with mono so it might be in one of the other mono
packages.

------- Comment #3 From Jurek Bartuszek 2007-10-25 22:08:37 0000 ------- 
Does it mean they do not want upstream to be notified about this issue? Or have
they already done it? Anyway, I'm all into pushing this forward. After applying
the patch mono-1.2.5.1 builds fine, but I don't have any testcase to see if the
problem is gone. Moreover, I'd also add latexer to CC list, cause he's the lead
:).

An updated ebuild and a patch that actually applies cleanly will follow

------- Comment #4 From Jurek Bartuszek 2007-10-25 22:09:44 0000 ------- 
Created an attachment (id=134384) [details]
ebuild with patch applied

------- Comment #5 From Jurek Bartuszek 2007-10-25 22:10:12 0000 ------- 
Created an attachment (id=134385) [details]
updated patch

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-10-26 07:21:42 0000 ------- 
Thx Jurek. Upstream have already been informed, I should have mentioned that in
the first place.

Arch security liaisons please test and report back on this bug. Do NOT commit
anything yadayada:)

------- Comment #7 From Pierre-Yves Rofes 2007-11-02 22:47:04 0000 ------- 
public now. Jurek, I think you can commit the corrected ebuild.
Arches liaisons, did you get a chance to test it?

------- Comment #8 From Jurek Bartuszek 2007-11-03 00:39:05 0000 ------- 
Done. We should also stabilize this ASAP.

------- Comment #9 From Robert Buchholz 2007-11-03 11:45:55 0000 ------- 
Seems none of the liaisons tested it till now.

Arches, please test and mark stable dev-lang/mono-1.2.5.1-r1.
Target keywords : "amd64 ppc x86"

------- Comment #10 From Robert Buchholz 2007-11-03 23:55:06 0000 ------- 
glsa filed.

------- Comment #11 From Dawid Węgliński 2007-11-04 09:34:41 0000 ------- 
Stable on x86

------- Comment #12 From Tobias Scherbaum 2007-11-06 17:28:07 0000 ------- 
ppc stable

------- Comment #13 From Chris Gianelloni (RETIRED) 2007-11-06 22:49:35 0000 ------- 
amd64 done

------- Comment #14 From Robert Buchholz 2007-11-07 01:23:06 0000 ------- 
GLSA filed.

------- Comment #15 From Pierre-Yves Rofes 2007-11-07 23:13:25 0000 ------- 
GLSA 200711-10