Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621120 (CVE-2017-2801) - <dev-libs/botan-1.10.16: Incorrect comparison in X.509 DN strings
Summary: <dev-libs/botan-1.10.16: Incorrect comparison in X.509 DN strings
Status: RESOLVED FIXED
Alias: CVE-2017-2801
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://botan.randombit.net/security....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-07 13:05 UTC by Hanno Böck
Modified: 2017-10-13 23:16 UTC (History)
3 users (show)

See Also:
Package list:
=dev-libs/botan-1.10.16 amd64 hppa ppc ppc64 sparc x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-06-07 13:05:41 UTC
botan 1.0.16 and 2.1.0 fix a security bug in the X.509 parsing.

From upstream:
"Botan’s implementation of X.509 name comparisons had a flaw which could result in an out of bound memory read while processing a specially formed DN. This could potentially be exploited for information disclosure or denial of service, or result in incorrect validation results. Found independently by Aleksandar Nikolic of Cisco Talos, and OSS-Fuzz automated fuzzing infrastructure."

A second vuln (CVE-2017-7252) has also been fixed in 2.1.0, but it only affects versions in portage that have never been unmasked, so it's not relevant.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2017-06-07 13:21:42 UTC
Added, feel free to stabilize.
Thanks!
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-07 14:20:47 UTC
@ Arches,

please test and mark stable: =dev-libs/botan-1.10.16
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-08 10:18:34 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-09 10:23:26 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-10 13:49:18 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-13 12:35:17 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:03:22 UTC
ppc stable
Comment 8 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 15:04:30 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-30 06:35:16 UTC
hppa stable
Comment 10 Alon Bar-Lev (RETIRED) gentoo-dev 2017-10-12 16:41:19 UTC
(In reply to Aleksandr Wagner (Kivak) from bug#632104 comment#7)
> @Maintainer(s): Please clean the vulnerable versions from tree.

Done.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-10-13 23:16:13 UTC
GLSA Vote: No