Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 761412 (CVE-2019-17362)

Summary: dev-libs/libtomcrypt: Out of bounds read (CVE-2019-17362)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: mgorny, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libtom/libtomcrypt/issues/507
Whiteboard: B3 [upstream/ebuild?]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-12-23 17:48:31 UTC
Description:
"In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data."

Patch 1: https://github.com/libtom/libtomcrypt/commit/25c26a3b7a9ad8192ccc923e15cf62bf0108ef94

Patch 2 (adds test): 
https://github.com/libtom/libtomcrypt/commit/91856f003f9095e5a1fb461ffe9e434f735e8ac6 (not on a branch?)
https://github.com/libtom/libtomcrypt/issues/507#issuecomment-750382569
Comment 1 Sam James archtester gentoo-dev Security 2020-12-23 17:49:07 UTC
I'll apply the patch later. Ideally, the comments on the test case patch would be resolved first.
Comment 2 Sam James archtester gentoo-dev Security 2021-01-10 16:43:47 UTC
(In reply to Sam James from comment #1)
> I'll apply the patch later. Ideally, the comments on the test case patch
> would be resolved first.

Look addressed now but can't test atm.
Comment 3 Sam James archtester gentoo-dev Security 2021-03-19 02:24:16 UTC
I'm not convinced this is actually fixed: https://github.com/libtom/libtomcrypt/issues/561
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:24:53 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:33:25 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:41:17 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:49:26 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:05:21 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:13:39 UTC
Package list is empty or all packages have requested keywords.