Bug 1153385 (CVE-2019-17359)

Summary: VUL-0: CVE-2019-17359: bouncycastle: OutOfMemoryError via crafted ASN.1 data
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: BasesystemAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, pmonrealgonzalez
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/244441/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2019-10-09 06:19:51 UTC 
CVE-2019-17359

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large
attempted memory allocation, and resultant OutOfMemoryError error, via crafted
ASN.1 data. This is fixed in 1.64.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17359
http://www.cvedetails.com/cve/CVE-2019-17359/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
https://www.bouncycastle.org/releasenotes.html
https://www.bouncycastle.org/latest_releases.html
Comment 1 Alexander Bergmann 2019-10-09 06:27:36 UTC 
openSUSE Leap is getting its updates from SUSE:SLE-15 and that version is still on 1.58.

Please prepare an update to version 1.64 including references to:

* bsc#1096291 - CVE-2018-1000180
* bsc#1100694 - CVE-2018-1000613
Comment 2 Pedro Monreal Gonzalez 2019-10-09 09:41:52 UTC 
(In reply to Alexander Bergmann from comment #1)
> openSUSE Leap is getting its updates from SUSE:SLE-15 and that version is
> still on 1.58.
> 
> Please prepare an update to version 1.64 including references to:
> 
> * bsc#1096291 - CVE-2018-1000180
> * bsc#1100694 - CVE-2018-1000613

The vulnerable code was introduced in version 1.63 and fixed in version 1.64. I think these are the relevant commits for the fix:

   https://github.com/bcgit/bc-java/commit/33a8e4aa07b21a8bcf5a582446664485f5f081b2
   https://github.com/bcgit/bc-java/commit/b1bc75254f5fea633a49a751a1a7339056f97856
Comment 3 Pedro Monreal Gonzalez 2019-10-11 11:21:11 UTC 
Factory submission:
   https://build.opensuse.org/request/show/737444
Comment 4 Pedro Monreal Gonzalez 2019-10-11 11:54:20 UTC 
(In reply to Alexander Bergmann from comment #1)
> openSUSE Leap is getting its updates from SUSE:SLE-15 and that version is
> still on 1.58.

The vulnerable code was introduced in version 1.63 and fixed in version 1.64. I just updated to 1.64 in Factory. Non of the SLE packages are affected by this CVE and updating SLE-15 to 1.64 could introduce a couple of important changes in the functionality, see:

   https://www.bouncycastle.org/releasenotes.html

An update in SLE-15 would require an ECO. Do you mean to submit the update to SLE-15-SP2 so Leap could take the package from there?
Comment 5 Pedro Monreal Gonzalez 2020-04-29 14:25:23 UTC 
Hi Alex, I just submitted an update in Leap 15.1 to version 1.60 for another bug, here:
   https://build.opensuse.org/request/show/798905

Is it OK if I update to 1.64 there, in Leap 15.1?
Comment 6 Pedro Monreal Gonzalez 2020-04-29 14:51:37 UTC 
(In reply to Pedro Monreal Gonzalez from comment #5)
> Hi Alex, I just submitted an update in Leap 15.1 to version 1.60 for another
> bug, here:
>    https://build.opensuse.org/request/show/798905
> 
> Is it OK if I update to 1.64 there, in Leap 15.1?

Hmm, javamail is not available in Leap15.1...
Comment 7 Pedro Monreal Gonzalez 2020-07-28 18:36:49 UTC 
The vulnerability was introduced in version 1.63 and fixed in 1.64. Since we do not ship version 1.63 in any codestream we are not affected by this bug.