Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 19 Aug 2016 09:49:59 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: MatrixSSL Bignum bugs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://www.matrixssl.org/blog/releases/matrixssl_3_8_4

>> several issues related to RSA and bignum operations


> If one tries to calculate a modular
> exponentiation with the base zero (0^b mod a, code) it would crash with
> an invalid free operation, potentially leading to memory corruption.
> https://github.com/hannob/bignum-fuzz/blob/master/matrixssl-base-zero.c

>> Testing MatrixSSL's pstm_exptmod with base zero

Use CVE-2016-6885.


> a malicious client could simply send a zero or the key's modulus here. I
> created a patch against openssl that allows to test this. Both values
> crash the MatrixSSL server. However the crash seems not to happen in
> pstm_exptmod(), it hits another bug earlier. In both cases the crash
> happens due to an invalid memory read in the function pstm_reverse(),
> which is not prepared for zero-sized inputs and will underflow the len
> variable.
> https://github.com/hannob/bignum-fuzz/blob/master/openssl-break-rsa-values.diff

>> This patch allows one to send malformed RSA encryptions during the handshake.
>> One can either send zeros or the RSA key modulus. Both trigger a bug in
>> MatrixSSL 3.8.3.

As far as we can tell, here you are reporting a crash issue that is not
identical to the "exponentiation with the base zero" issue.

Use CVE-2016-6886.


> Fortunately this was discovered before the change made it into a
> release.
> https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html

>> I'm considering the below patch

>>> https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003099.html
>>> Committed and pushed now

There is no CVE ID for this "crashes with a floating point error"
behavior that existed in the https://git.lysator.liu.se/nettle/nettle
code as of approximately 2016-07-17 through 2016-07-31. The Nettle
documentation at https://www.lysator.liu.se/~nisse/nettle/ doesn't
specifically recommend that people ship unreleased Nettle code. A CVE
ID isn't, in general, required for each issue noted at any arbitrary
point during development.


> I was able to identify an input value that caused a
> wrong calculation result.
> 
> They now restrict the input to the pstm_exptmod()
> function to a set of bit sizes (512, 1024, 1536, 2048, 3072, 4096). My
> test input had a different bit size

As far as we can tell, a "wrong calculation result" is not always a
vulnerability on its own, and sometimes becomes relevant only when
there is a composite with another issue. However, the set of other
issues is not fully specified and thus we are assigning a CVE ID to
the "wrong calculation result" itself in this specific case.

Use CVE-2016-6887.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXtwz9AAoJEHb/MwWLVhi2o/YP/idLfMy+aLG2sgmccQASZZGz
BSri6w0qzXrp3vta6zvU5NtGrFKe6728eteh+s5tzvQOx8cibQhkRf0rhV5+OVWR
dW3zOU/8yy8ns7liFnCCzkT3N64ZX7D6m3x9xfeBd9qAVp57y0OetH54mEX3K3wK
az47xi35WpQsGfXP6MWpxUXXNod5P/hu38TCH/siIImB/gNYgP9tmTBArsp63/M6
wxRLl5/zkMYc727tfY2apoAnu7c3qEl2WDOe12P4/T77Cpjbv1mQhpXT3fUw2dff
vCILkdN/YZM0X4zFL4MIUsTOcRX68YoP83npRCjb9q9OX6fTCeZGjAE1z2Kc0DJr
aRqv++KmjMDWa9T+NJoczsNbxcnvoCJhUpGIsL2czEEb8qbBgllbyIlvlcuh2zYf
6fxMNgPbInINglJt5j+LqxSspk4ZyMF9Ptf0zPuEOwikaLOtFI5C1AVyMiQMwO9q
RwtJnW1X4heT2OeoLQApRS3vXABdViQiPVDCqbKeYd5HaDuT3FtDqGQRfTzbCgaP
ixdotezrAC9HX/UB2WDYwSbDEIJolfnGbplGOfIuPSOsbAmQegj3fFvQg8bM/a8m
nIwmJl9liXlFpdJo4WEL4i0nQqACtP7Y3cB9oZY2S1MR2+locsZJB40p6P4T4tjG
p1ybwtmkWvayRh9TNjg7
=a0WT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.