Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 636264 (CVE-2017-3736)

Summary: <dev-libs/openssl-{1.0.2m,1.1.0g}: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alwag, base-system
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
URL: https://www.openssl.org/news/secadv/20170828.txt
Whiteboard: A3 [glsa cve cleanup]
Package list:
=dev-libs/openssl-1.0.2m
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 629290    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-02 15:49:23 UTC
CVE-2017-3735 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3735):
  While parsing an IPAddressFamily extension in an X.509 certificate, it is
  possible to do a one-byte overread. This would result in an incorrect text
  display of the certificate. This bug has been present since 2006 and is
  present in all versions of OpenSSL since then.

CVE-2017-3736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3736):
  bn_sqrx8x_internal carry bug on x86_64
Comment 1 Larry the Git Cow gentoo-dev 2017-11-02 15:58:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddc7a2854b198ea1377a9b109a1d366e4c3099e0

commit ddc7a2854b198ea1377a9b109a1d366e4c3099e0
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-11-02 15:57:41 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-11-02 15:57:55 +0000

    dev-libs/openssl: Bump for CVE-2017-{3735,3736}
    
    Bug: https://bugs.gentoo.org/629290
    Bug: https://bugs.gentoo.org/636264
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 dev-libs/openssl/Manifest              |   2 +
 dev-libs/openssl/openssl-1.0.2m.ebuild | 254 +++++++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0g.ebuild | 240 +++++++++++++++++++++++++++++++
 3 files changed, 496 insertions(+)}
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-11-02 16:02:34 UTC
@ Arches,

please test and mark stable: =dev-libs/openssl-1.0.2m
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-11-02 21:17:51 UTC
x86 stable
Comment 4 Manuel RĂ¼ger (RETIRED) gentoo-dev 2017-11-02 21:47:46 UTC
Stable on amd64
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-04 13:06:05 UTC
ia64 stable
Comment 6 Tobias Klausmann gentoo-dev 2017-11-08 12:51:57 UTC
Stable on alpha.
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-09 07:30:17 UTC
hppa stable (by Jeroen Roovers)
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-10 08:31:52 UTC
ppc/ppc64 stable
Comment 9 Markus Meier gentoo-dev 2017-11-19 15:12:42 UTC
arm stable
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-19 17:51:30 UTC
arm64 is unstable arch.
Comment 11 Thomas Deutschmann gentoo-dev Security 2017-11-24 02:21:06 UTC
GLSA request filed.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-27 21:14:40 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-12-14 18:25:23 UTC
This issue was resolved and addressed in
 GLSA 201712-03 at https://security.gentoo.org/glsa/201712-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 18:57:05 UTC
*** Bug 635584 has been marked as a duplicate of this bug. ***