Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636264 (CVE-2017-3736) - <dev-libs/openssl-{1.0.2m,1.1.0g}: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Summary: <dev-libs/openssl-{1.0.2m,1.1.0g}: bn_sqrx8x_internal carry bug on x86_64 (CV...
Status: RESOLVED FIXED
Alias: CVE-2017-3736
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.openssl.org/news/secadv/2...
Whiteboard: A3 [glsa cve cleanup]
Keywords: STABLEREQ
: 635584 (view as bug list)
Depends on:
Blocks: CVE-2017-3735
  Show dependency tree
 
Reported: 2017-11-02 15:49 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-27 18:57 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/openssl-1.0.2m
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-02 15:49:23 UTC 
CVE-2017-3735 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3735):
  While parsing an IPAddressFamily extension in an X.509 certificate, it is
  possible to do a one-byte overread. This would result in an incorrect text
  display of the certificate. This bug has been present since 2006 and is
  present in all versions of OpenSSL since then.

CVE-2017-3736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3736):
  bn_sqrx8x_internal carry bug on x86_64
Comment 1 Larry the Git Cow gentoo-dev 2017-11-02 15:58:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddc7a2854b198ea1377a9b109a1d366e4c3099e0

commit ddc7a2854b198ea1377a9b109a1d366e4c3099e0
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-11-02 15:57:41 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-11-02 15:57:55 +0000

    dev-libs/openssl: Bump for CVE-2017-{3735,3736}
    
    Bug: https://bugs.gentoo.org/629290
    Bug: https://bugs.gentoo.org/636264
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 dev-libs/openssl/Manifest              |   2 +
 dev-libs/openssl/openssl-1.0.2m.ebuild | 254 +++++++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0g.ebuild | 240 +++++++++++++++++++++++++++++++
 3 files changed, 496 insertions(+)}
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-02 16:02:34 UTC 
@ Arches,

please test and mark stable: =dev-libs/openssl-1.0.2m
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-02 21:17:51 UTC 
x86 stable
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2017-11-02 21:47:46 UTC 
Stable on amd64
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-04 13:06:05 UTC 
ia64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:51:57 UTC 
Stable on alpha.
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-09 07:30:17 UTC 
hppa stable (by Jeroen Roovers)
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-10 08:31:52 UTC 
ppc/ppc64 stable
Comment 9 Markus Meier gentoo-dev 2017-11-19 15:12:42 UTC 
arm stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-11-19 17:51:30 UTC 
arm64 is unstable arch.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-24 02:21:06 UTC 
GLSA request filed.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-27 21:14:40 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-12-14 18:25:23 UTC 
This issue was resolved and addressed in
 GLSA 201712-03 at https://security.gentoo.org/glsa/201712-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 18:57:05 UTC 
*** Bug 635584 has been marked as a duplicate of this bug. ***