"Security * Fix potential heap buffer overread and overwrite in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. * An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) could recover an RSA private key after observing the victim performing a single private-key operation if the window size used for the exponentiation was 3 or smaller. Found and reported by Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation and Test in Europe 2023." Please bump to 2.28.2.
Thanks for getting CVEs, whoever did it \o/
I see some others looking at https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-2.28/ChangeLog while bumping to 2.28.5.. 2.28.3 (shouldn't affect us): """ Security * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on builds that couldn't compile the GCC-style assembly implementation (most notably builds with Visual Studio), leaving them vulnerable to timing side-channel attacks. There is now an intrinsics-based AES-NI implementation as a fallback for when the assembly one cannot be used. """ 2.38.5: """ Security * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should review the size of the output buffer passed to this function, and note that the output after decryption may include CBC padding. Consider moving to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() which checks for overflow of the output buffer and reports the actual length of the output. * Improve padding calculations in CBC decryption, NIST key unwrapping and RSA OAEP decryption. With the previous implementation, some compilers (notably recent versions of Clang and IAR) could produce non-constant time code, which could allow a padding oracle attack if the attacker has access to precise timing measurements. * Fix a buffer overread when parsing short TLS application data records in ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f00b9e572f549402d60bed6ff200891ce9ffc1ba commit f00b9e572f549402d60bed6ff200891ce9ffc1ba Author: Sam James <sam@gentoo.org> AuthorDate: 2023-10-08 05:16:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-08 05:16:13 +0000 net-libs/mbedtls: add 2.28.5 Bug: https://bugs.gentoo.org/886001 Signed-off-by: Sam James <sam@gentoo.org> net-libs/mbedtls/Manifest | 1 + net-libs/mbedtls/mbedtls-2.28.5.ebuild | 109 +++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+)
CVE-2023-45199 (https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-2/): Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can lead to remote Code execution. CVE-2023-43615 (https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/): Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2e3b903e7752dc31c1ace3843a505c1f331d831 commit e2e3b903e7752dc31c1ace3843a505c1f331d831 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2024-01-07 11:02:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-14 04:01:11 +0000 net-libs/mbedtls: drop 2.28.1, 3.2.1 Remove volurnable versions. Bug: https://bugs.gentoo.org/886001 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> net-libs/mbedtls/Manifest | 2 - net-libs/mbedtls/mbedtls-2.28.1.ebuild | 102 --------------------------------- net-libs/mbedtls/mbedtls-3.2.1.ebuild | 96 ------------------------------- 3 files changed, 200 deletions(-)
