Mono 1.2.5 (and earlier release) implementation of BigInteger is vulnerable to a buffer overflow in it's reduction step of the Montgomery-based Pow methods. While this affects the most recent Mono version this vulnerability is also present in all previous releases of Mono. The issue was found by a security audit (on an unnamed product) using Mono.Security.dll assembly done by IOActive. They also provided the patch to fix this issue. They want to coordinate the disclosure with us.
Created attachment 134361 [details, diff] BigInteger_overflow-fix.diff
Jurek, if you want stable testing before the coordinated release date noted above please attach an updated ebuild to this bug. Do NOT commit anything yet. Also I'm not too familiar with mono so it might be in one of the other mono packages.
Does it mean they do not want upstream to be notified about this issue? Or have they already done it? Anyway, I'm all into pushing this forward. After applying the patch mono-1.2.5.1 builds fine, but I don't have any testcase to see if the problem is gone. Moreover, I'd also add latexer to CC list, cause he's the lead :). An updated ebuild and a patch that actually applies cleanly will follow
Created attachment 134384 [details] ebuild with patch applied
Created attachment 134385 [details, diff] updated patch
Thx Jurek. Upstream have already been informed, I should have mentioned that in the first place. Arch security liaisons please test and report back on this bug. Do NOT commit anything yadayada:)
public now. Jurek, I think you can commit the corrected ebuild. Arches liaisons, did you get a chance to test it?
Done. We should also stabilize this ASAP.
Seems none of the liaisons tested it till now. Arches, please test and mark stable dev-lang/mono-1.2.5.1-r1. Target keywords : "amd64 ppc x86"
glsa filed.
Stable on x86
ppc stable
amd64 done
GLSA filed.
GLSA 200711-10