Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 943337 (CVE-2024-45157, CVE-2024-49195) - <net-libs/mbedtls-{2.28.9,3.6.2}: multiple vulnerabilities
Summary: <net-libs/mbedtls-{2.28.9,3.6.2}: multiple vulnerabilities
Status: UNCONFIRMED
Alias: CVE-2024-45157, CVE-2024-49195
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://mbed-tls.readthedocs.io/en/la...
Whiteboard: B3 [cleanup glsa?]
Keywords: PullRequest
Depends on: 944947
Blocks:
  Show dependency tree
 
Reported: 2024-11-12 19:30 UTC by Azamat H. Hackimov
Modified: 2024-11-30 10:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Azamat H. Hackimov 2024-11-12 19:30:06 UTC
https://nvd.nist.gov/vuln/detail/CVE-2024-45157:

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

https://nvd.nist.gov/vuln/detail/CVE-2024-49195:

Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair.
Comment 1 Hans de Graaff gentoo-dev Security 2024-11-12 19:56:53 UTC
Removed version numbers because we only refer to fixed version in Gentoo itself.
Comment 2 Larry the Git Cow gentoo-dev 2024-11-23 16:54:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86acd886db67d37721a4ac9968358131e3439f76

commit 86acd886db67d37721a4ac9968358131e3439f76
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2024-11-12 20:28:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-11-23 16:54:05 +0000

    net-libs/mbedtls: add 2.28.9, 3.6.2
    
    Fix security vulnerabilities:
    
    * CVE-2024-45157
    * CVE-2024-49195
    
    Bug: https://bugs.gentoo.org/943337
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/mbedtls/Manifest              |   2 +
 net-libs/mbedtls/mbedtls-2.28.9.ebuild | 102 +++++++++++++++++++++++++++++++++
 net-libs/mbedtls/mbedtls-3.6.2.ebuild  |  95 ++++++++++++++++++++++++++++++
 3 files changed, 199 insertions(+)