Bug 647800 (CVE-2017-18187, CVE-2018-0487, CVE-2018-0488)

Summary:	<net-libs/mbedtls-2.7.2: multiple vulnerabilites (CVE-2017-18187,CVE-2018-{0487,0488})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	blueness
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B1 [glsa+ cve]
Package list:	=net-libs/mbedtls-2.7.2	Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2018-02-16 00:45:50 UTC

CVE-2018-0488 (https://nvd.nist.gov/vuln/detail/CVE-2018-0488):
  ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the
  truncated HMAC extension and CBC are used, allows remote attackers to
  execute arbitrary code or cause a denial of service (heap corruption) via a
  crafted application packet within a TLS or DTLS session.

CVE-2018-0487 (https://nvd.nist.gov/vuln/detail/CVE-2018-0487):
  ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote
  attackers to execute arbitrary code or cause a denial of service (buffer
  overflow) via a crafted certificate chain that is mishandled during
  RSASSA-PSS signature verification within a TLS or DTLS session.

CVE-2017-18187 (https://nvd.nist.gov/vuln/detail/CVE-2017-18187):
  In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an
  integer overflow in PSK identity parsing in the
  ssl_parse_client_psk_identity() function in library/ssl_srv.c.

Comment 1 Anthony Basile gentoo-dev

2018-03-02 22:51:07 UTC

=net-libs/mbedtls-2.7.1 is in the tree and should be rapid stabilized.

@arch teams, please stabilize

KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86"

Comment 2 Mart Raudsepp gentoo-dev

2018-03-02 23:53:03 UTC

arm64 stable

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2018-03-03 09:35:05 UTC

ia64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-03-04 06:54:41 UTC

x86 stable

Comment 5 Jason Zaman gentoo-dev

2018-03-04 10:20:25 UTC

amd64 stable

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2018-03-05 21:32:26 UTC

Stable on alpha.

Comment 7 Anthony Basile gentoo-dev

2018-03-07 15:47:10 UTC

stable on ppc and ppc64

Comment 8 Markus Meier gentoo-dev

2018-03-13 17:53:19 UTC

arm stable

Comment 9 Anthony Basile gentoo-dev

2018-04-11 11:43:38 UTC

We need to start over with  =net-libs/mbedtls-2.7.2  

KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 x86"



There have been more security updates.  See

https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2018-04-11 20:39:01 UTC

x86 stable

Comment 11 Mart Raudsepp gentoo-dev

2018-04-12 10:29:20 UTC

arm64 stable

Comment 12 Larry the Git Cow gentoo-dev

2018-04-14 18:47:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1de34aaeccc3b0c53f453c88a150f856d0bd723b

commit 1de34aaeccc3b0c53f453c88a150f856d0bd723b
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-14 18:44:45 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-14 18:47:10 +0000

    net-libs/mbedtls: amd64 stable
    
    Bug: https://bugs.gentoo.org/647800
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 net-libs/mbedtls/mbedtls-2.7.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}

Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev

2018-04-14 22:16:32 UTC

ia64 stable

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2018-04-15 08:16:51 UTC

ppc64 stable

Comment 15 Larry the Git Cow gentoo-dev

2018-04-20 06:57:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebe4f6f1adf2e34c117c83b8713d1b25eb9f353f

commit ebe4f6f1adf2e34c117c83b8713d1b25eb9f353f
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-04-20 06:56:48 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-20 06:56:48 +0000

    net-libs/mbedtls: stable 2.7.2 for ppc, bug #647800
    
    Bug: https://bugs.gentoo.org/647800
    Package-Manager: Portage-2.3.28, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 net-libs/mbedtls/mbedtls-2.7.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}

Comment 16 Mikle Kolyada (RETIRED) archtester

2018-04-21 09:06:54 UTC

arm stable

Comment 17 Matt Turner gentoo-dev

2018-04-22 20:19:49 UTC

hppa stable

Comment 18 Matt Turner gentoo-dev

2018-04-22 20:29:28 UTC

alpha stable

Comment 19 Aaron Bauman (RETIRED) gentoo-dev

2018-04-22 21:30:18 UTC

GLSA request filed

@maintainer, please drop vulnerable.

Comment 20 Anthony Basile gentoo-dev

2018-04-22 22:54:29 UTC

(In reply to Aaron Bauman from comment #19)
> GLSA request filed
> 
> @maintainer, please drop vulnerable.

done.

Comment 21 GLSAMaker/CVETool Bot gentoo-dev

2018-04-22 23:50:30 UTC

This issue was resolved and addressed in
 GLSA 201804-19 at https://security.gentoo.org/glsa/201804-19
by GLSA coordinator Aaron Bauman (b-man).

Comment 22 Larry the Git Cow gentoo-dev

2018-05-19 18:15:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff53a14e3c0d1f26e269e4b6aa52a0350a87e750

commit ff53a14e3c0d1f26e269e4b6aa52a0350a87e750
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-19 17:46:31 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-19 18:15:03 +0000

    net-libs/mbedtls: stable 2.7.2 for sparc
    
    Bug: https://bugs.gentoo.org/647800
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 net-libs/mbedtls/mbedtls-2.7.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)