761412 – (CVE-2019-17362) dev-libs/libtomcrypt: Out of bounds read (CVE-2019-17362)

Bug 761412 (CVE-2019-17362) - dev-libs/libtomcrypt: Out of bounds read (CVE-2019-17362)

Summary: dev-libs/libtomcrypt: Out of bounds read (CVE-2019-17362)

Status:	IN_PROGRESS

Alias:	CVE-2019-17362

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/libtom/libtomcrypt...
Whiteboard:	B3 [upstream/ebuild?]
Keywords:

Depends on:
Blocks:

Reported:	2020-12-23 17:48 UTC by Sam James
Modified:	2021-07-29 18:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-12-23 17:48:31 UTC

Description:
"In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data."

Patch 1: https://github.com/libtom/libtomcrypt/commit/25c26a3b7a9ad8192ccc923e15cf62bf0108ef94

Patch 2 (adds test): 
https://github.com/libtom/libtomcrypt/commit/91856f003f9095e5a1fb461ffe9e434f735e8ac6 (not on a branch?)
https://github.com/libtom/libtomcrypt/issues/507#issuecomment-750382569

Comment 1 Sam James archtester

2020-12-23 17:49:07 UTC

I'll apply the patch later. Ideally, the comments on the test case patch would be resolved first.

Comment 2 Sam James archtester

2021-01-10 16:43:47 UTC

(In reply to Sam James from comment #1)
> I'll apply the patch later. Ideally, the comments on the test case patch
> would be resolved first.

Look addressed now but can't test atm.

Comment 3 Sam James archtester

2021-03-19 02:24:16 UTC

I'm not convinced this is actually fixed: https://github.com/libtom/libtomcrypt/issues/561

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:24:53 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:33:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:41:17 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:49:26 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:05:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:13:39 UTC

Package list is empty or all packages have requested keywords.