Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 907673 (CVE-2023-36660)

Summary: =dev-libs/nettle-3.9: Memory corruption in OCB handling
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ajak, base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [glsa+]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-06-01 22:28:43 UTC 
From nettle-3.9.1 release notes:
"""
NEWS for the Nettle 3.9.1 release
        This is a bugfix release, fixing a few bugs reported for
        Nettle-3.9. The bug in the new OCB code may be exploitable for
        denial of service or worse, since triggering it leads to
        memory corruption. Upgrading from Nettle-3.9 to the new
        version is strongly recommended.
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-06-01 22:30:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92d3f4da6045ef59eb4fa4ac99e63ef5f4c2fc95

commit 92d3f4da6045ef59eb4fa4ac99e63ef5f4c2fc95
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-01 22:30:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-01 22:30:46 +0000

    dev-libs/nettle: add 3.9.1
    
    Bug: https://bugs.gentoo.org/907673
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/nettle/Manifest            |  2 +
 dev-libs/nettle/nettle-3.9.1.ebuild | 89 +++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 23:31:28 UTC 
*** Bug 918610 has been marked as a duplicate of this bug. ***
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 23:32:10 UTC 
Let's tack this onto the the GLSA since we're doing a GLSA already for bug 806839.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-16 13:43:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9948613604a215d86e6a6c8ec06c466da8195f4c

commit 9948613604a215d86e6a6c8ec06c466da8195f4c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-16 13:42:42 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-16 13:43:13 +0000

    [ GLSA 202401-24 ] Nettle: Denial of Service
    
    Bug: https://bugs.gentoo.org/806839
    Bug: https://bugs.gentoo.org/907673
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-24.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2024-06-24 01:48:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c6a5f3292f4bdd6ee91724e76ec03a04742001b9

commit c6a5f3292f4bdd6ee91724e76ec03a04742001b9
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-06-24 01:33:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-06-24 01:33:37 +0000

    dev-libs/nettle: drop 3.9-r1
    
    Bug: https://bugs.gentoo.org/907673
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/nettle/Manifest             |  2 -
 dev-libs/nettle/nettle-3.9-r1.ebuild | 96 ------------------------------------
 2 files changed, 98 deletions(-)