Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197067 - dev-lang/mono < 1.2.5-r1 Buffer overflow in BigInteger (CVE-2007-5197)
Summary: dev-lang/mono < 1.2.5-r1 Buffer overflow in BigInteger (CVE-2007-5197)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-25 19:03 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-11-08 01:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
BigInteger_overflow-fix.diff (BigInteger_overflow-fix.diff,538 bytes, patch)
2007-10-25 19:05 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
ebuild with patch applied (mono-1.2.5.1-r1.ebuild,3.54 KB, text/plain)
2007-10-25 22:09 UTC, Jurek Bartuszek (RETIRED)
no flags Details
updated patch (mono-biginteger_overflow.diff,848 bytes, patch)
2007-10-25 22:10 UTC, Jurek Bartuszek (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-10-25 19:03:36 UTC
Mono 1.2.5 (and earlier release) implementation of BigInteger is vulnerable to
a buffer overflow in it's reduction step of the Montgomery-based Pow methods.

While this affects the most recent Mono version this vulnerability is also
present in all previous releases of Mono.

The issue was found by a security audit (on an unnamed product) using
Mono.Security.dll assembly done by IOActive. They also provided the patch to
fix this issue. They want to coordinate the disclosure with us.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-25 19:05:58 UTC
Created attachment 134361 [details, diff]
BigInteger_overflow-fix.diff
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-25 19:10:45 UTC
Jurek, if you want stable testing before the coordinated release date noted above please attach an updated ebuild to this bug. Do NOT commit anything yet. Also I'm not too familiar with mono so it might be in one of the other mono packages.
Comment 3 Jurek Bartuszek (RETIRED) gentoo-dev 2007-10-25 22:08:37 UTC
Does it mean they do not want upstream to be notified about this issue? Or have they already done it? Anyway, I'm all into pushing this forward. After applying the patch mono-1.2.5.1 builds fine, but I don't have any testcase to see if the problem is gone. Moreover, I'd also add latexer to CC list, cause he's the lead :).

An updated ebuild and a patch that actually applies cleanly will follow
Comment 4 Jurek Bartuszek (RETIRED) gentoo-dev 2007-10-25 22:09:44 UTC
Created attachment 134384 [details]
ebuild with patch applied
Comment 5 Jurek Bartuszek (RETIRED) gentoo-dev 2007-10-25 22:10:12 UTC
Created attachment 134385 [details, diff]
updated patch
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-26 07:21:42 UTC
Thx Jurek. Upstream have already been informed, I should have mentioned that in the first place.

Arch security liaisons please test and report back on this bug. Do NOT commit anything yadayada:)
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-02 22:47:04 UTC
public now. Jurek, I think you can commit the corrected ebuild.
Arches liaisons, did you get a chance to test it?
Comment 8 Jurek Bartuszek (RETIRED) gentoo-dev 2007-11-03 00:39:05 UTC
Done. We should also stabilize this ASAP.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 11:45:55 UTC
Seems none of the liaisons tested it till now.

Arches, please test and mark stable dev-lang/mono-1.2.5.1-r1.
Target keywords : "amd64 ppc x86"
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 23:55:06 UTC
glsa filed.
Comment 11 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-04 09:34:41 UTC
Stable on x86
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-06 17:28:07 UTC
ppc stable
Comment 13 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-06 22:49:35 UTC
amd64 done
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 01:23:06 UTC
GLSA filed.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-07 23:13:25 UTC
GLSA 200711-10