-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cut-over to CRYPTOPP_ASSERT due to CVE-2016-7420 #277
Comments
trap.h and CRYPTOPP_ASSERT has existed for over a year in Master. We deferred on the cut-over waiting for a minor version bump (5.7). We have to use it now due to CVE-2016-7420
…bug behavior pivots on CRYPTOPP_DEBUG, and not NDEBUG (Issue 277, CVE-2016-7420)
The documentation updates/treatment of The documentation updates/treatment of C++ Static Initialization Order was added to The cut-over to We detected and fixed some debugging code using We added self tests to ensure no use of The _trap_ dev-branch was merged into _master_ at Commit 01b4ada1482f7e02. Our next step is to release Crypto++ 5.6.5. This report will remain open until the new version is released. |
Crypto++ 5.6.5 was released on 10/11/2016. Closing the issue. |
From a recent discussion with the Debian Security Team:
For completeness, the asserts are working as expected; they are not broken. The library's build system, [GNU] Make, adds the define. The define is also added by Visual Studio without user intervention. The library is well configured in its default state.
The problem is many distros and developers fail to add
-DNDEBUG
for release/production when using alternate build systems, like Autotools, CMake and Eclipse. Effectively the library receives an alternate set of flags and options, and it is placed in a debug configuration. Sometimes the lack of-DNDEBUG
is due to policy (Debian and Autotools), and sometimes its due to omission (regular developers under CMake, Eclipse, etc).Mitre assigned CVE-2016-7420 for the issue.
Also see CRYPTOPP_ASSERT on the user mailing list. We discussed a library assert over a year ago. We already have it and have been waiting for a good time to cut-over to it.
There are 590 asserts in effect when the library is in a debug configuration. Debug builds are tested with out test suite, and none of them trigger when asserts are in effect. The caveat is its not attacker controlled data.
Here's a list of files which could assert in the library when using a debug configuration.
The text was updated successfully, but these errors were encountered: