Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 571102

Summary: <net-libs/mbedtls-2.2.1: Double free and MD5 signature issue (SLOTH)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blueness, hasufell, slawomir.nizio, tommy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released
See Also: https://bugs.gentoo.org/show_bug.cgi?id=537108
https://bugs.gentoo.org/show_bug.cgi?id=620504
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2016-01-06 18:54:40 UTC
mbedtls has released updated versions that fix a double free vuln and an MD5 signature issue related to the SLOTH attack:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released

Here's the info about the SLOTH attack:
http://www.mitls.org/pages/attacks/SLOTH

polarssl (the older name of mbedtls) is also affected, Gentoo currently still has an ebuild for polarssl 1.3.9. While upstream released an update for an old polarssl branch (1.2.19), there seems to be no update for polarssl 1.3.9. So polarssl probably should be removed completely.
Comment 1 Anthony Basile gentoo-dev 2017-01-28 17:56:10 UTC
all <net-libs/mbedtls-2.2.1 ebuilds are off the tree.  however all the polarssl ebuilds are vulnerable.  we should mask polarssl for removal.

@tommy do you want to take care of polarssl since its your package.
Comment 2 Thomas Sachau gentoo-dev 2017-05-13 13:55:26 UTC
The remaining packages depending on polarssl have open bugs assigned, bug 618354 tracks them.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-06-03 12:41:42 UTC
I split out net-libs/polarssl into bug 620504.

SLOTH issue is CVE-2015-7575.

Added to an existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:46:01 UTC
This issue was resolved and addressed in
 GLSA 201706-18 at https://security.gentoo.org/glsa/201706-18
by GLSA coordinator Kristian Fiskerstrand (K_F).