Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636264 (CVE-2017-3736) - <dev-libs/openssl-{1.0.2m,1.1.0g}: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Summary: <dev-libs/openssl-{1.0.2m,1.1.0g}: bn_sqrx8x_internal carry bug on x86_64 (CV...
Alias: CVE-2017-3736
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve cleanup]
: 635584 (view as bug list)
Depends on:
Blocks: CVE-2017-3735
  Show dependency tree
Reported: 2017-11-02 15:49 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-27 18:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-02 15:49:23 UTC
CVE-2017-3735 (
  While parsing an IPAddressFamily extension in an X.509 certificate, it is
  possible to do a one-byte overread. This would result in an incorrect text
  display of the certificate. This bug has been present since 2006 and is
  present in all versions of OpenSSL since then.

CVE-2017-3736 (
  bn_sqrx8x_internal carry bug on x86_64
Comment 1 Larry the Git Cow gentoo-dev 2017-11-02 15:58:09 UTC
The bug has been referenced in the following commit(s):

commit ddc7a2854b198ea1377a9b109a1d366e4c3099e0
Author:     Thomas Deutschmann <>
AuthorDate: 2017-11-02 15:57:41 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2017-11-02 15:57:55 +0000

    dev-libs/openssl: Bump for CVE-2017-{3735,3736}
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 dev-libs/openssl/Manifest              |   2 +
 dev-libs/openssl/openssl-1.0.2m.ebuild | 254 +++++++++++++++++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0g.ebuild | 240 +++++++++++++++++++++++++++++++
 3 files changed, 496 insertions(+)}
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-02 16:02:34 UTC
@ Arches,

please test and mark stable: =dev-libs/openssl-1.0.2m
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-02 21:17:51 UTC
x86 stable
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2017-11-02 21:47:46 UTC
Stable on amd64
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-04 13:06:05 UTC
ia64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:51:57 UTC
Stable on alpha.
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-09 07:30:17 UTC
hppa stable (by Jeroen Roovers)
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-10 08:31:52 UTC
ppc/ppc64 stable
Comment 9 Markus Meier gentoo-dev 2017-11-19 15:12:42 UTC
arm stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-11-19 17:51:30 UTC
arm64 is unstable arch.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-24 02:21:06 UTC
GLSA request filed.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-27 21:14:40 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-12-14 18:25:23 UTC
This issue was resolved and addressed in
 GLSA 201712-03 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 18:57:05 UTC
*** Bug 635584 has been marked as a duplicate of this bug. ***