Fix possible integer overflow #546
Conversation
|
@sjaeckel please ask the reporter of that bug if they want to remain anonymous. I would like to put their name in, otherwise. |
|
@gal1ium thanks for reporting this. Do you wanna have a look at the changes? |
I think they're good! Thanks! |
There was a problem hiding this comment.
ty @czurnieden for going through the sources - I double checked and it looks good.
I also cherry-picked this to develop locally and will open a PR soon.
|
|
||
| if (size < 0) { | ||
| return MP_VAL; | ||
| } | ||
|
|
There was a problem hiding this comment.
Not sure whether this really makes sense here, since size is already sanitized right after ... OTOH it's an invalid usage ...
There was a problem hiding this comment.
Wasn't sure either, but it is an error and marking it as such is nice to the user—useful for debugging.
None forgotten? Good.
Ah, thanks, wasn't able to get to it till now. |
|
@dod38fr @scaronni @gahr @DimStar77 @dfandrich @antonio-rojas @Millak could you please include this patch in your distro? |
|
@sjaeckel I can do that - are you planning a patch release, anyway? |
|
Does this fix a security vulnerability? Glacing at the diff, it looks like it fixes some things that a buggy program might hit but affect parameters that would not generally be under the control of an attacker. |
It's too late for Debian 12 which is to be released next week. I'll patch libtommath in Debian/unstable once Debian 12 is out. If this bug turns out to be a security issue, I'll make sure to include in a future Debian 12 point release (e.g. 12.1). |
|
I patched the FreeBSD port: https://cgit.freebsd.org/ports/commit/?id=02c46239ac8dce1c3573803e6c95ae152aa61ee9 still eager to know if there's a release coming |
|
I don't think there will be a patch release, but a new release will come which includes this patch. |
|
CVE-2023-36328 was assigned to this. I had no involvement in the assignment, posting here for reference only. |
|
Seems like someone really thinks that this needs a bugfix release ... |
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: 538a88f858b860a1aa7aa90d9091fb98e67f3d54) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: 9ee1f7a0fcbb6a8d5e8be3d602cf6c0e75fab34b) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: 09d1d126d755d15106ce40b3d74457f5a301cf3f) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: aa392840d625f5c45832e7ddf60c4dfaba3c4287) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: 38709b0d35e7bd6760285bfa926dc85985c5cdcd) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: e2fe2c2066b066b1561eaba7bd7f27d4079c3cd6) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Source: poky MR: 127628 Type: Integration Disposition: Merged from poky ChangeID: fb8ca2c Description: Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: 38709b0d35e7bd6760285bfa926dc85985c5cdcd) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
I see an error in the description https://nvd.nist.gov/vuln/detail/CVE-2023-36328#range-9994440 of the versions affected by the vulnerability. Version 1.2.1 is included, although it contains changes from this commit: |
|
I contacted them, let's see what happens and when :-) |
|
Version is fixed, list will be updated within the next 24hours |
Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 libtom/libtommath#546 (From OE-Core rev: aa392840d625f5c45832e7ddf60c4dfaba3c4287) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It was possible to give
mp_growa negative size argument.Several other functions got an extra check for negative input, too.