Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 764317 (CVE-2020-36475, CVE-2020-36478) - <net-libs/mbedtls-{2.16.9,2.25.0}: Multiple vulnerabilities
Summary: <net-libs/mbedtls-{2.16.9,2.25.0}: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2020-36475, CVE-2020-36478
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-07 14:33 UTC by Sam James
Modified: 2021-08-25 02:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 14:33:44 UTC
See https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0.

"Security

* The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() would write past the minimum documented size of the output buffer when used with NIST_KW. As a result, code using those functions as documented with NIST_KW could have a buffer overwrite of up to 15 bytes, with consequences ranging up to arbitrary code execution depending on the location of the output buffer.

* Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.

* A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography (including key generation, intermediate value randomization and blinding) are implemented. This could cause failures or the silent use of non-random values. A random generator can fail if it needs reseeding and cannot not obtain entropy, or due to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).

* Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629.

* Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 14:34:03 UTC
Please bump to 2.25.0.
Comment 2 Anthony Basile gentoo-dev 2021-01-08 02:15:37 UTC
(In reply to Sam James from comment #1)
> Please bump to 2.25.0.

Its in the tree.  I've done some preliminary testing and it should be good for rapid stabilization.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-08 10:32:05 UTC
(In reply to Anthony Basile from comment #2)
> (In reply to Sam James from comment #1)
> > Please bump to 2.25.0.
> 
> Its in the tree.  I've done some preliminary testing and it should be good
> for rapid stabilization.

Thank you!
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 12:04:43 UTC
ppc done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 12:05:12 UTC
ppc64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 00:03:38 UTC
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-01 04:43:46 UTC
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-18 07:30:11 UTC
arm64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-19 17:15:34 UTC
arm done

all arches done
Comment 10 NATTkA bot gentoo-dev 2021-02-19 17:16:56 UTC Comment hidden (obsolete)
Comment 11 John Helmert III gentoo-dev Security 2021-02-19 17:18:24 UTC
Please cleanup
Comment 12 John Helmert III gentoo-dev Security 2021-06-30 14:23:16 UTC
Added to existing request
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:24:44 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:33:15 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:41:05 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 17:49:16 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 18:05:11 UTC Comment hidden (obsolete)
Comment 18 NATTkA bot gentoo-dev 2021-07-29 18:13:29 UTC
Package list is empty or all packages have requested keywords.
Comment 19 John Helmert III gentoo-dev Security 2021-08-25 02:30:20 UTC
CVE-2020-36478:

An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid.

CVE-2020-36475:

An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs.