Bug 1221528 (CVE-2018-25099)

Summary: VUL-0: CVE-2018-25099: perl-CryptX: gcm_decrypt_verify() and chacha20poly1305_decrypt_verify() do not verify the tag
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Lars Vogdt <lars.vogdt>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, lars.vogdt
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/397975/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-18 06:17:25 UTC 
In the CryptX module before 0.062 for Perl, gcm_decrypt_verify() and chacha20poly1305_decrypt_verify() do not verify the tag.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-25099
https://www.cve.org/CVERecord?id=CVE-2018-25099
https://github.com/DCIT/perl-CryptX/issues/47
https://github.com/libtom/libtomcrypt/pull/451
https://metacpan.org/dist/CryptX/changes
Comment 1 Alexander Bergmann 2024-03-18 06:18:33 UTC 
This affects Backports and Factory only:

openSUSE:Backports:SLE-15-SP5
openSUSE:Backports:SLE-15-SP6
openSUSE:Factory
Comment 2 Lars Vogdt 2024-03-19 08:31:02 UTC 
Bug should be fixed in CryptX version 0.062.
[...]
0.062   2018-10-30
 - fix #47 gcm_decrypt_verify + chacha20poly1305_decrypt_verify don't 
   verify the tag - SERIOUS SECURITY BUG!
[...]

Oldest version shipped in openSUSE:Backports:SLE-15-SP2 : 0.068

But as there are additional fixes and no backwards incompatible changes, we can also update all code streams to the latest upstream version. 

Objections?
Comment 3 OBSbugzilla Bot 2024-04-16 11:05:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1221528) was mentioned in
https://build.opensuse.org/request/show/1168005 Factory / perl-CryptX
Comment 4 Lars Vogdt 2024-04-16 12:15:29 UTC 
Submission to Factory (just adding the CVE reference): 1168005 

Submission to openSUSE:Backports: 1168343

-> Closing here.
Comment 5 OBSbugzilla Bot 2024-04-16 12:55:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1221528) was mentioned in
https://build.opensuse.org/request/show/1168343 Backports:SLE-15-SP5 / perl-CryptX
Comment 6 Marcus Meissner 2024-04-20 16:04:53 UTC 
openSUSE-SU-2024:0112-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1221528
CVE References: CVE-2018-25099
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    perl-CryptX-0.80.0-bp155.2.3.1