913880 – (CVE-2023-36328) <dev-libs/libtommath-1.2.1: Integer overflow

Bug 913880 (CVE-2023-36328) - <dev-libs/libtommath-1.2.1: Integer overflow

Summary: <dev-libs/libtommath-1.2.1: Integer overflow

Status:	IN_PROGRESS

Alias:	CVE-2023-36328

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [cleanup glsa?]
Keywords:

Depends on:	915352
Blocks:
	Show dependency tree

Reported:	2023-09-09 04:59 UTC by Sam James
Modified:	2023-10-09 06:02 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/libtom/libtommath/pull/546
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-09-09 04:59:07 UTC

Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).

Comment 1 Larry the Git Cow gentoo-dev

2023-09-09 05:03:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e4b7c3ada9725aa4cf21c16d6fac8fa985e4b2f

commit 9e4b7c3ada9725aa4cf21c16d6fac8fa985e4b2f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-09-09 04:57:54 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-09 04:59:22 +0000

    dev-libs/libtommath: add 1.2.1
    
    Bug: https://bugs.gentoo.org/913880
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libtommath/Manifest                |  1 +
 dev-libs/libtommath/libtommath-1.2.1.ebuild | 96 +++++++++++++++++++++++++++++
 2 files changed, 97 insertions(+)