Bug 1218222 (CVE-2023-50981)

Summary: VUL-0: CVE-2023-50981: libcryptopp: issue on ModularSquareRoot function leads to potential DoS
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, camila.matos, dleidi, meissner, pgajdos, pmonrealgonzalez, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/388516/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-50981:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-12-19 15:01:16 UTC 
ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (infinite loop) via crafted DER public-key data associated with squared odd numbers, such as the square of 268995137513890432434389773128616504853.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50981
https://github.com/weidai11/cryptopp/issues/1249
Comment 2 Petr Gajdos 2024-01-04 10:07:30 UTC 
Reporter provided a pull request:
https://github.com/weidai11/cryptopp/pull/1255

TW submit request:
https://build.opensuse.org/request/show/1136759

Also submitted for 15,15sp4/libcryptopp.
Comment 7 Maintenance Automation 2024-01-18 20:30:21 UTC 
SUSE-SU-2024:0157-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218222
CVE References: CVE-2023-50981
Sources used:
openSUSE Leap 15.4 (src): libcryptopp-8.6.0-150400.3.6.1
openSUSE Leap 15.5 (src): libcryptopp-8.6.0-150400.3.6.1
Basesystem Module 15-SP5 (src): libcryptopp-8.6.0-150400.3.6.1
SUSE Linux Enterprise Real Time 15 SP4 (src): libcryptopp-8.6.0-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Petr Gajdos 2024-05-16 06:00:34 UTC 
SUSE:SFFO:Main
https://build.suse.de/request/show/330342
SUSE:ALP:Source:Standard:1.0
https://build.suse.de/request/show/330340
Comment 11 Petr Gajdos 2024-05-17 12:44:14 UTC 
(In reply to Petr Gajdos from comment #10)
> SUSE:SFFO:Main
> https://build.suse.de/request/show/330342
> SUSE:ALP:Source:Standard:1.0
> https://build.suse.de/request/show/330340

Now 330340 was declined because:

Moved to SUSE:SLFO:Main with request https://build.suse.de/request/show/330342 

I do not understand it, I thought I should have submitted both into ALP and SFFO.
Comment 12 Petr Gajdos 2024-05-17 12:45:41 UTC 
(see comment 9)
Comment 13 Marcus Meissner 2024-05-17 12:48:39 UTC 
We need to find out where the submissions go for SLE Micro 6 fixes.

If yes, we still need 330342.

please wait some hours.
Comment 14 Petr Gajdos 2024-05-17 12:57:35 UTC 
Ok then, thanks. Will not touch it in any way until asked.
Comment 15 Petr Gajdos 2024-05-17 12:58:28 UTC 
SUSE:SFFO:Main
https://build.suse.de/request/show/330342
SUSE:ALP:Source:Standard:1.0
https://build.suse.de/request/show/330340

(just to have it as the first comment again)
Comment 16 Petr Gajdos 2024-05-22 10:24:26 UTC 
(In reply to Petr Gajdos from comment #15)
> SUSE:ALP:Source:Standard:1.0
> https://build.suse.de/request/show/330340

Reopened.