Bugzilla Bug 197067

Mono 1.2.5 (and earlier release) implementation of BigInteger is vulnerable to
a buffer overflow in it's reduction step of the Montgomery-based Pow methods.

While this affects the most recent Mono version this vulnerability is also
present in all previous releases of Mono.

The issue was found by a security audit (on an unnamed product) using
Mono.Security.dll assembly done by IOActive. They also provided the patch to
fix this issue. They want to coordinate the disclosure with us.

Created an attachment (id=134361) [details]
BigInteger_overflow-fix.diff

Jurek, if you want stable testing before the coordinated release date noted
above please attach an updated ebuild to this bug. Do NOT commit anything yet.
Also I'm not too familiar with mono so it might be in one of the other mono
packages.

Does it mean they do not want upstream to be notified about this issue? Or have
they already done it? Anyway, I'm all into pushing this forward. After applying
the patch mono-1.2.5.1 builds fine, but I don't have any testcase to see if the
problem is gone. Moreover, I'd also add latexer to CC list, cause he's the lead
:).

An updated ebuild and a patch that actually applies cleanly will follow

Created an attachment (id=134384) [details]
ebuild with patch applied

Created an attachment (id=134385) [details]
updated patch

Thx Jurek. Upstream have already been informed, I should have mentioned that in
the first place.

Arch security liaisons please test and report back on this bug. Do NOT commit
anything yadayada:)

public now. Jurek, I think you can commit the corrected ebuild.
Arches liaisons, did you get a chance to test it?

Done. We should also stabilize this ASAP.

Seems none of the liaisons tested it till now.

Arches, please test and mark stable dev-lang/mono-1.2.5.1-r1.
Target keywords : "amd64 ppc x86"

glsa filed.

Stable on x86

ppc stable

amd64 done

GLSA filed.

GLSA 200711-10