Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 760729 (CVE-2020-28052)

Summary: <dev-java/bcprov-1.69: Invalid password comparison logic for bcrypt (CVE-2020-28052)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: fordfrog, java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=717950
https://github.com/gentoo/gentoo/pull/21479
Whiteboard: B3 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 799749, 820428    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 14:32:33 UTC 
We need to work through the rdeps once bumped.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 14:33:34 UTC 
Please bump to 1.67 and we'll go from there re revdeps.
Comment 2 Larry the Git Cow gentoo-dev 2021-07-09 13:13:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfe4c8498cf254cfdd4833fe2640e9b16afea15a

commit dfe4c8498cf254cfdd4833fe2640e9b16afea15a
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-06-22 12:41:52 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-07-09 13:02:02 +0000

    dev-java/bcprov: bump to 1.69
    
    Bug: https://bugs.gentoo.org/797634
    Bug: https://bugs.gentoo.org/760729
    
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/21479/commits/0357e38e7a6ac560da6e6de9c29bc40c3b5cd7eb
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/bcprov/Manifest           |  1 +
 dev-java/bcprov/bcprov-1.69.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 dev-java/bcprov/metadata.xml       |  3 ++
 3 files changed, 82 insertions(+)
Comment 3 Miroslav Šulc gentoo-dev 2021-07-09 16:07:20 UTC 
should be safe to stabilize, it passes all tests.
Comment 4 NATTkA bot gentoo-dev Security 2021-10-27 02:13:02 UTC 
Resetting sanity check; package list is empty or all packages are done.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-27 02:15:06 UTC 
I went ahead and popped stabilization out from here to keep the blockers since they were unrelated to the stabilization
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-26 05:07:17 UTC 
Please cleanup
Comment 7 Miroslav Šulc gentoo-dev 2021-11-26 08:10:48 UTC 
we still need to resolve packages that depend on bcprov:1.50