Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 197067

Summary: dev-lang/mono < 1.2.5-r1 Buffer overflow in BigInteger (CVE-2007-5197)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
BigInteger_overflow-fix.diff
none
ebuild with patch applied
none
updated patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-25 19:03:36 UTC
Mono 1.2.5 (and earlier release) implementation of BigInteger is vulnerable to
a buffer overflow in it's reduction step of the Montgomery-based Pow methods.

While this affects the most recent Mono version this vulnerability is also
present in all previous releases of Mono.

The issue was found by a security audit (on an unnamed product) using
Mono.Security.dll assembly done by IOActive. They also provided the patch to
fix this issue. They want to coordinate the disclosure with us.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-25 19:05:58 UTC
Created attachment 134361 [details, diff]
BigInteger_overflow-fix.diff
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-25 19:10:45 UTC
Jurek, if you want stable testing before the coordinated release date noted above please attach an updated ebuild to this bug. Do NOT commit anything yet. Also I'm not too familiar with mono so it might be in one of the other mono packages.
Comment 3 Jurek Bartuszek (RETIRED) gentoo-dev 2007-10-25 22:08:37 UTC
Does it mean they do not want upstream to be notified about this issue? Or have they already done it? Anyway, I'm all into pushing this forward. After applying the patch mono-1.2.5.1 builds fine, but I don't have any testcase to see if the problem is gone. Moreover, I'd also add latexer to CC list, cause he's the lead :).

An updated ebuild and a patch that actually applies cleanly will follow
Comment 4 Jurek Bartuszek (RETIRED) gentoo-dev 2007-10-25 22:09:44 UTC
Created attachment 134384 [details]
ebuild with patch applied
Comment 5 Jurek Bartuszek (RETIRED) gentoo-dev 2007-10-25 22:10:12 UTC
Created attachment 134385 [details, diff]
updated patch
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-26 07:21:42 UTC
Thx Jurek. Upstream have already been informed, I should have mentioned that in the first place.

Arch security liaisons please test and report back on this bug. Do NOT commit anything yadayada:)
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-02 22:47:04 UTC
public now. Jurek, I think you can commit the corrected ebuild.
Arches liaisons, did you get a chance to test it?
Comment 8 Jurek Bartuszek (RETIRED) gentoo-dev 2007-11-03 00:39:05 UTC
Done. We should also stabilize this ASAP.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 11:45:55 UTC
Seems none of the liaisons tested it till now.

Arches, please test and mark stable dev-lang/mono-1.2.5.1-r1.
Target keywords : "amd64 ppc x86"
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 23:55:06 UTC
glsa filed.
Comment 11 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-04 09:34:41 UTC
Stable on x86
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-06 17:28:07 UTC
ppc stable
Comment 13 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-06 22:49:35 UTC
amd64 done
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 01:23:06 UTC
GLSA filed.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-07 23:13:25 UTC
GLSA 200711-10