Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618824 (CVE-2017-2784) - <net-libs/mbedtls-2.4.2: multiple vulnerabilities
Summary: <net-libs/mbedtls-2.4.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-2784
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://tls.mbed.org/tech-updates/rel...
Whiteboard: B2 [glsa cve glsa]
Keywords: STABLEREQ
Depends on: 619802
Blocks:
  Show dependency tree
 
Reported: 2017-05-18 09:28 UTC by Anthony Basile
Modified: 2018-07-28 17:41 UTC (History)
1 user (show)

See Also:
Package list:
=net-libs/mbedtls-2.4.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anthony Basile gentoo-dev 2017-05-18 09:28:26 UTC
This should fix several bugs involving missing <mbedtls/net.h>

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 1 Michael Weber (RETIRED) gentoo-dev 2017-05-19 01:24:19 UTC
ppc stable.
Comment 2 Michael Weber (RETIRED) gentoo-dev 2017-05-19 01:29:47 UTC
ppc64 stable.
Comment 3 Jeroen Roovers gentoo-dev 2017-05-19 07:50:16 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-20 08:49:50 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-20 09:36:08 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-05-22 11:41:49 UTC
sparc stable
Comment 7 Tobias Klausmann gentoo-dev 2017-05-22 13:27:16 UTC
Stable on alpha.
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-06-03 12:48:30 UTC
Converting bug into security bug, 2.4.2 fixes multiple vulnerabilities:

(2.4, 2.1, 1.3) Adds checks to prevent signature forgeries for very large messages while using RSA through the PK module in 64-bit systems. The issue was caused by some data loss when casting a size_t to an unsigned int value in the functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.

(2.4, 2.1, 1.3) Fixes potential livelock during the parsing of a CRL in PEM format in the function mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing characters after the footer could result in the execution of an infinite loop. The issue can be triggered remotely. Found by Greg Zaverucha, Microsoft.

(2.4) Removes MD5 from the allowed hash algorithms for CertificateRequest and CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2. Introduced by interoperability fix for #513.

(2.4, 2.1, 1.3) Fixes a bug that caused freeing a buffer that was allocated on the stack, when verifying the validity of a key on secp224k1. This issue could be triggered remotely, such as with a maliciously constructed certificate and could potentially lead to remote code execution on some platforms. Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos team. #569 CVE-2017-2784

(2.4, 2.1, 1.3) Fixes multiple buffer overreads in mbedtls_pem_read_buffer() when parsing the input string in PEM format to extract the different components. Found by Eyal Itkin.

(2.4, 2.1, 1.3) Fixes potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could cause buffer bound checks to be bypassed. Found by Eyal Itkin.

(2.4, 2.1, 1.3) Fixes potential arithmetic overflows in mbedtls_cipher_update() that could cause buffer bound checks to be bypassed. Found by Eyal Itkin.

(2.4, 2.1, 1.3) Fixes potential arithmetic overflow in mbedtls_md2_update() that could cause buffer bound checks to be bypassed. Found by Eyal Itkin.

(2.4, 2.1, 1.3) Fixes potential arithmetic overflow in mbedtls_base64_decode() that could cause buffer bound checks to be bypassed. Found by Eyal Itkin.

(2.4, 2.1, 1.3) Fixes a 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI number to write in hexadecimal is negative and requires an odd number of digits. Found and fixed by Guido Vranken.



Added to an existing GLSA.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:46:09 UTC
This issue was resolved and addressed in
 GLSA 201706-18 at https://security.gentoo.org/glsa/201706-18
by GLSA coordinator Kristian Fiskerstrand (K_F).