507552 – <dev-libs/matrixssl-3.6.1: 'length underflow' vulnerability

Bug 507552 - <dev-libs/matrixssl-3.6.1: 'length underflow' vulnerability

Summary: <dev-libs/matrixssl-3.6.1: 'length underflow' vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-04-13 10:23 UTC by slash
Modified:	2014-04-13 13:46 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description slash 2014-04-13 10:23:09 UTC

Hi,

Available versions of dev-libs/matrixssl in Portage are ~3.2.2 ~3.4.2 but they are known as problematical (see [1] and [2]).
For security reasons, it would be wise to include the latest version (3.6.1) in Portage tree and to remove all versions =<3.6.1.


[1] https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
[2] http://www.matrixssl.org/news.html

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2014-04-13 11:04:53 UTC

3.6.1 in Portage, older removed, the package is ~arch only, reassigning to security@ for determining what to do next (propably just close the bug)

Comment 2 Agostino Sarubbo gentoo-dev

2014-04-13 13:46:49 UTC

Closing as noglsa