923279 – (CVE-2024-23170, CVE-2024-23775) <net-libs/mbedtls-{2.28.7,3.5.2}: multiple vulnerabilties

Bug 923279 (CVE-2024-23170, CVE-2024-23775) - <net-libs/mbedtls-{2.28.7,3.5.2}: multiple vulnerabilties

Summary: <net-libs/mbedtls-{2.28.7,3.5.2}: multiple vulnerabilties

Status:	IN_PROGRESS

Alias:	CVE-2024-23170, CVE-2024-23775

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa? cleanup]
Keywords:	PullRequest

Depends on:	923409
Blocks:
	Show dependency tree

Reported:	2024-01-29 17:35 UTC by Azamat H. Hackimov
Modified:	2024-02-19 23:36 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/35079
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Azamat H. Hackimov 2024-01-29 17:35:49 UTC

CVE-2024-23170 Timing side channel in private key RSA operations.

Mbed TLS is vulnerable to a timing side channel in private key RSA operations. This side channel could be sufficient for an attacker to recover the plaintext. A local attacker or a remote attacker who is close to the victim on the network might have precise enough timing measurements to exploit this. It requires the attacker to send a large number of messages for decryption.

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/

CVE-2024-23775 Buffer overflow in mbedtls_x509_set_extension().

When writing x509 extensions we failed to validate inputs passed in to mbedtls_x509_set_extension(), which could result in an integer overflow, causing a zero-length buffer to be allocated to hold the extension. The extension would then be copied into the buffer, causing a heap buffer overflow.

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/


Resolution: update net-libs/mbedtls to 2.28.7 and 3.5.2.

Comment 1 Larry the Git Cow gentoo-dev

2024-01-31 09:39:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8854f3a3ba8804ac498d25fa3ba419215b18d352

commit 8854f3a3ba8804ac498d25fa3ba419215b18d352
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2024-01-29 17:48:33 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-01-31 09:37:45 +0000

    net-libs/mbedtls: drop 2.28.6, 3.5.1
    
    Bug: https://bugs.gentoo.org/923279
    Closes: https://github.com/gentoo/gentoo/pull/35079
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 net-libs/mbedtls/Manifest              |   2 -
 net-libs/mbedtls/mbedtls-2.28.6.ebuild | 104 ---------------------------------
 net-libs/mbedtls/mbedtls-3.5.1.ebuild  |  96 ------------------------------
 3 files changed, 202 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9ee81cf0e4c6b4df223fff5732fba83a019e398

commit a9ee81cf0e4c6b4df223fff5732fba83a019e398
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2024-01-29 17:47:16 +0000
Commit:     Yixun Lan <dlan@gentoo.org>
CommitDate: 2024-01-31 09:35:52 +0000

    net-libs/mbedtls: add 2.28.7, 3.5.2
    
    Fixes CVE-2024-23170, CVE-2024-23775 issues.
    
    Bug: https://bugs.gentoo.org/923279
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Yixun Lan <dlan@gentoo.org>

 net-libs/mbedtls/Manifest              |   2 +
 net-libs/mbedtls/mbedtls-2.28.7.ebuild | 104 +++++++++++++++++++++++++++++++++
 net-libs/mbedtls/mbedtls-3.5.2.ebuild  |  96 ++++++++++++++++++++++++++++++
 net-libs/mbedtls/metadata.xml          |   1 +
 4 files changed, 203 insertions(+)

Comment 2 Yixun Lan archtester

2024-01-31 09:42:55 UTC

since this is a security bug, please suggest new candidate for fast stabilization, I'd assume net-libs/mbedtls-2.28.7 ? thanks