CVE-2024-9143: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. The above is fixed in: 3.3.3, 3.2.4, 3.1.8, and 4.0.16
To clarify, 3.3.3, 3.2.4, 3.1.8, and 4.0.16 are not out yet because of upstream classifying it as a low severity vulnerability. A patch does exist in the following commits, however. - c0d3e4d3 (for 3.3) - bc7e04d7 (for 3.2) - fdf67233 (for 3.1) - 72ae83ad (for 3.0)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22235f92b4d8cd565c29264b7955ed1f5ea4ac48 commit 22235f92b4d8cd565c29264b7955ed1f5ea4ac48 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-10-29 02:08:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-10-29 02:09:24 +0000 dev-libs/openssl: fix CVE-2024-9143 for 3.3.2-r1 Bug: https://bugs.gentoo.org/941643 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.3.2-CVE-2024-9143.patch | 193 +++++++++++++ dev-libs/openssl/openssl-3.3.2-r1.ebuild | 304 +++++++++++++++++++++ 2 files changed, 497 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6855692d8c265fa2c9c7216bb17d52eaa507ccb4 commit 6855692d8c265fa2c9c7216bb17d52eaa507ccb4 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-10-29 02:01:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-10-29 02:09:23 +0000 dev-libs/openssl: fix CVE-2024-9143 for 3.2.3-r1 Bug: https://bugs.gentoo.org/941643 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.2.3-CVE-2024-9143.patch | 193 +++++++++++++ dev-libs/openssl/openssl-3.2.3-r1.ebuild | 306 +++++++++++++++++++++ 2 files changed, 499 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=536e382d480933cfc6721f129368a8468ebd2321 commit 536e382d480933cfc6721f129368a8468ebd2321 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-10-29 01:53:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-10-29 02:09:22 +0000 dev-libs/openssl: fix CVE-2024-9143 for 3.1.7-r1 Bug: https://bugs.gentoo.org/941643 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.1.7-CVE-2024-9143.patch | 192 ++++++++++++++ dev-libs/openssl/openssl-3.1.7-r1.ebuild | 288 +++++++++++++++++++++ 2 files changed, 480 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=262bc64a0613918288342dda8ed6f2ee91b87cd7 commit 262bc64a0613918288342dda8ed6f2ee91b87cd7 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-10-29 01:45:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-10-29 02:09:22 +0000 dev-libs/openssl: fix CVE-2024-9143 for 3.0.15-r1 Bug: https://bugs.gentoo.org/941643 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.0.15-CVE-2024-9143.patch | 193 ++++++++++++++ dev-libs/openssl/openssl-3.0.15-r1.ebuild | 287 +++++++++++++++++++++ 2 files changed, 480 insertions(+)