czurnieden
commented
1 year ago @sjaeckel please ask the reporter of that bug if they want to remain anonymous. I would like to put their name in, otherwise.
Closed czurnieden closed 1 year ago
czurnieden
commented
1 year ago @sjaeckel please ask the reporter of that bug if they want to remain anonymous. I would like to put their name in, otherwise.
sjaeckel
commented
1 year ago @gal1ium thanks for reporting this. Do you wanna have a look at the changes?
gal1ium
commented
1 year ago @gal1ium thanks for reporting this. Do you wanna have a look at the changes?
I think they're good! Thanks!
czurnieden
commented
1 year ago I double checked and it looks good.
None forgotten? Good.
I also cherry-picked this to develop locally and will open a PR soon.
Ah, thanks, wasn't able to get to it till now.
sjaeckel
commented
1 year ago @dod38fr @scaronni @gahr @DimStar77 @dfandrich @antonio-rojas @millak
could you please include this patch in your distro?
gahr
commented
1 year ago @sjaeckel I can do that - are you planning a patch release, anyway?
dfandrich
commented
1 year ago Does this fix a security vulnerability? Glacing at the diff, it looks like it fixes some things that a buggy program might hit but affect parameters that would not generally be under the control of an attacker.
dod38fr
commented
1 year ago @dod38fr @scaronni @gahr @DimStar77 @dfandrich @antonio-rojas @Millak
could you please include this patch in your distro?
It's too late for Debian 12 which is to be released next week.
I'll patch libtommath in Debian/unstable once Debian 12 is out. If this bug turns out to be a security issue, I'll make sure to include in a future Debian 12 point release (e.g. 12.1).
gahr
commented
1 year ago I patched the FreeBSD port: https://cgit.freebsd.org/ports/commit/?id=02c46239ac8dce1c3573803e6c95ae152aa61ee9
still eager to know if there's a release coming
sjaeckel
commented
1 year ago I don't think there will be a patch release, but a new release will come which includes this patch.
samueloph
commented
1 year ago CVE-2023-36328 was assigned to this.
I had no involvement in the assignment, posting here for reference only.
sjaeckel
commented
1 year ago Seems like someone really thinks that this needs a bugfix release ...
Felixxz
commented
8 months ago I see an error in the description https://nvd.nist.gov/vuln/detail/CVE-2023-36328#range-9994440 of the versions affected by the vulnerability. Version 1.2.1 is included, although it contains changes from this commit: https://github.com/libtom/libtommath/pull/546/commits/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Can you correct and remove version 1.2.1 from the nist.gov description?
sjaeckel
commented
8 months ago I contacted them, let's see what happens and when :-)
sjaeckel
commented
8 months ago Version is fixed, list will be updated within the next 24hours
It was possible to give
mp_growa negative size argument. Several other functions got an extra check for negative input, too.