Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717950 (CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613) - dev-java/bcprov: Multiple vulnerabilities (CVE-2016-{1000338,1000339,1000340,1000341,1000342,1000343, 1000344,1000352}, CVE-2017-13098, CVE-2018-{1000180,1000613})
Summary: dev-java/bcprov: Multiple vulnerabilities (CVE-2016-{1000338,1000339,1000340,...
Status: IN_PROGRESS
Alias: CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000340, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [ebuild cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-04-17 21:36 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-21 11:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 21:36:11 UTC
CVE-2019-17359 (https://nvd.nist.gov/vuln/detail/CVE-2019-17359):
  The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a
  large attempted memory allocation, and resultant OutOfMemoryError error, via
  crafted ASN.1 data. This is fixed in 1.64.
Comment 1 Sam James (sec padawan) 2020-04-17 21:42:02 UTC
* CVE-2018-1000180

Description:
"Issue around primality tests for RSA key pair generation if done using only the low-level API."

* CVE-2018-1000613: 

Description:
"Lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information."

* CVE-2017-13098 ("ROBOT")

Description:
"A Bleichenbacher oracle in TLS when RSA key exchange is negotiated. This potentially affected BCJSSE servers and any other TLS servers configured to use JCE for the underlying crypto - note the two TLS implementations using the BC lightweight APIs are not affected by this."

* CVE-2016-1000352

Description:
"Strict encoding enforcement has been introduced for ASN1Integer."

* CVE-2016-1000338

Description: 
"DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of "invisible" data into a signed structure."

* CVE-2016-1000339: 

Description:
"AESFastEngine has a side channel leak if table accesses can be observed. The use of lookup large static lookup tables in AESFastEngine means that where data accesses by the CPU can be observed, it is possible to gain information about the key used to initialize the cipher. We now recommend not using AESFastEngine where this might be a concern. The BC provider is now using AESEngine by default."

* CVE-2016-1000340:

Description:
"Static ECDH vulnerable to carry propagation bug. Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers."

* CVE-2016-1000341: 

Description:
"DSA signature generation vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55 or earlier, may allow an attacker to gain information about the signatures k value and ultimately the private value as well."

* CVE-2016-1000342: 
Description:
"ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of "invisible" data into a signed structure."

* CVE-2016-1000343: 

Description:
"DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator."

* CVE-2016-1000344

Description:
"DHIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider."

* CVE-2016-1000345

Description:
"DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding."

* CVE-2016-1000346:

Description: "Other party DH public key not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of this release the key parameters are checked on agreement calculation."

* CVE-2016-1000352:

Description: 
"ECIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider."

----

Some of these were fixed in earlier versions. The latest fixed version is 2.6.1.
Given this is a cryptography library, I strongly recommend the maintainers update to the latest version. I did not comb through the changelog because I already found these CVEs.
Comment 2 Sam James (sec padawan) 2020-04-17 21:44:12 UTC
(In reply to Sam James (sec padawan) from comment #1)
> Some of these were fixed in earlier versions. The latest fixed version is
> 2.6.1.
> Given this is a cryptography library, I strongly recommend the maintainers
> update to the latest version. I did not comb through the changelog because I
> already found these CVEs.

@maintainer(s), please see this comment.