Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 941643 (CVE-2024-9143) - <dev-libs/openssl-{3.0.15-r1, 3.1.7-r1, 3.2.3-r1, 3.3.2-r1}: Low-level invalid GF(2^m) parameters lead to OOB memory access
Summary: <dev-libs/openssl-{3.0.15-r1, 3.1.7-r1, 3.2.3-r1, 3.3.2-r1}: Low-level invali...
Status: IN_PROGRESS
Alias: CVE-2024-9143
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://openssl-library.org/news/seca...
Whiteboard: B2 [stable]
Keywords:
Depends on: 940192 945999
Blocks:
  Show dependency tree
 
Reported: 2024-10-16 22:25 UTC by Christopher Fore
Modified: 2024-12-07 02:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-10-16 22:25:40 UTC
CVE-2024-9143:

Use of the low-level GF(2^m) elliptic curve APIs with untrusted                                                               
explicit values for the field polynomial can lead to out-of-bounds memory reads                                                              
or writes.


The above is fixed in: 3.3.3, 3.2.4, 3.1.8, and 4.0.16
Comment 1 Christopher Fore 2024-10-16 22:29:27 UTC
To clarify, 3.3.3, 3.2.4, 3.1.8, and 4.0.16 are not out yet because of upstream classifying it as a low severity vulnerability. A patch does exist in the following commits, however.

- c0d3e4d3 (for 3.3)
- bc7e04d7 (for 3.2)
- fdf67233 (for 3.1)
- 72ae83ad (for 3.0)
Comment 2 Larry the Git Cow gentoo-dev 2024-10-29 02:10:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22235f92b4d8cd565c29264b7955ed1f5ea4ac48

commit 22235f92b4d8cd565c29264b7955ed1f5ea4ac48
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-10-29 02:08:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-10-29 02:09:24 +0000

    dev-libs/openssl: fix CVE-2024-9143 for 3.3.2-r1
    
    Bug: https://bugs.gentoo.org/941643
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/openssl-3.3.2-CVE-2024-9143.patch        | 193 +++++++++++++
 dev-libs/openssl/openssl-3.3.2-r1.ebuild           | 304 +++++++++++++++++++++
 2 files changed, 497 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6855692d8c265fa2c9c7216bb17d52eaa507ccb4

commit 6855692d8c265fa2c9c7216bb17d52eaa507ccb4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-10-29 02:01:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-10-29 02:09:23 +0000

    dev-libs/openssl: fix CVE-2024-9143 for 3.2.3-r1
    
    Bug: https://bugs.gentoo.org/941643
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/openssl-3.2.3-CVE-2024-9143.patch        | 193 +++++++++++++
 dev-libs/openssl/openssl-3.2.3-r1.ebuild           | 306 +++++++++++++++++++++
 2 files changed, 499 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=536e382d480933cfc6721f129368a8468ebd2321

commit 536e382d480933cfc6721f129368a8468ebd2321
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-10-29 01:53:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-10-29 02:09:22 +0000

    dev-libs/openssl: fix CVE-2024-9143 for 3.1.7-r1
    
    Bug: https://bugs.gentoo.org/941643
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/openssl-3.1.7-CVE-2024-9143.patch        | 192 ++++++++++++++
 dev-libs/openssl/openssl-3.1.7-r1.ebuild           | 288 +++++++++++++++++++++
 2 files changed, 480 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=262bc64a0613918288342dda8ed6f2ee91b87cd7

commit 262bc64a0613918288342dda8ed6f2ee91b87cd7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-10-29 01:45:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-10-29 02:09:22 +0000

    dev-libs/openssl: fix CVE-2024-9143 for 3.0.15-r1
    
    Bug: https://bugs.gentoo.org/941643
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/openssl-3.0.15-CVE-2024-9143.patch       | 193 ++++++++++++++
 dev-libs/openssl/openssl-3.0.15-r1.ebuild          | 287 +++++++++++++++++++++
 2 files changed, 480 insertions(+)