Bug 636264 (CVE-2017-3736)

Summary:	<dev-libs/openssl-{1.0.2m,1.1.0g}: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	alwag, base-system
Priority:	Normal	Keywords:	STABLEREQ
Version:	unspecified	Flags:	stable-bot: sanity-check+
Hardware:	All
OS:	Linux
URL:	https://www.openssl.org/news/secadv/20170828.txt
Whiteboard:	A3 [glsa cve cleanup]
Package list:	=dev-libs/openssl-1.0.2m	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	629290

Description GLSAMaker/CVETool Bot gentoo-dev

2017-11-02 15:49:23 UTC

CVE-2017-3735 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3735):
  While parsing an IPAddressFamily extension in an X.509 certificate, it is
  possible to do a one-byte overread. This would result in an incorrect text
  display of the certificate. This bug has been present since 2006 and is
  present in all versions of OpenSSL since then.

CVE-2017-3736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3736):
  bn_sqrx8x_internal carry bug on x86_64

Comment 1 Larry the Git Cow gentoo-dev

2017-11-02 15:58:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddc7a2854b198ea1377a9b109a1d366e4c3099e0

commit ddc7a2854b198ea1377a9b109a1d366e4c3099e0
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-11-02 15:57:41 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-11-02 15:57:55 +0000

    dev-libs/openssl: Bump for CVE-2017-{3735,3736}
    
    Bug: https://bugs.gentoo.org/629290
    Bug: https://bugs.gentoo.org/636264
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 dev-libs/openssl/Manifest              |   2 +
 dev-libs/openssl/openssl-1.0.2m.ebuild | 254 +++++++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0g.ebuild | 240 +++++++++++++++++++++++++++++++
 3 files changed, 496 insertions(+)}

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-11-02 16:02:34 UTC

@ Arches,

please test and mark stable: =dev-libs/openssl-1.0.2m

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-11-02 21:17:51 UTC

x86 stable

Comment 4 Manuel Rüger (RETIRED) gentoo-dev

2017-11-02 21:47:46 UTC

Stable on amd64

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-04 13:06:05 UTC

ia64 stable

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2017-11-08 12:51:57 UTC

Stable on alpha.

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-09 07:30:17 UTC

hppa stable (by Jeroen Roovers)

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-10 08:31:52 UTC

ppc/ppc64 stable

Comment 9 Markus Meier gentoo-dev

2017-11-19 15:12:42 UTC

arm stable

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2017-11-19 17:51:30 UTC

arm64 is unstable arch.

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2017-11-24 02:21:06 UTC

GLSA request filed.

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-27 21:14:40 UTC

sparc stable (thanks to Rolf Eike Beer)

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2017-12-14 18:25:23 UTC

This issue was resolved and addressed in
 GLSA 201712-03 at https://security.gentoo.org/glsa/201712-03
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 14 Yury German Gentoo Infrastructure

2019-04-27 18:57:05 UTC

*** Bug 635584 has been marked as a duplicate of this bug. ***