Bug 1153385 - (CVE-2019-17359) VUL-0: CVE-2019-17359: bouncycastle: OutOfMemoryError via crafted ASN.1 data
(CVE-2019-17359)
VUL-0: CVE-2019-17359: bouncycastle: OutOfMemoryError via crafted ASN.1 data
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.1
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/244441/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-09 06:19 UTC by Alexander Bergmann
Modified: 2020-07-28 18:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-10-09 06:19:51 UTC
CVE-2019-17359

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large
attempted memory allocation, and resultant OutOfMemoryError error, via crafted
ASN.1 data. This is fixed in 1.64.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17359
http://www.cvedetails.com/cve/CVE-2019-17359/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
https://www.bouncycastle.org/releasenotes.html
https://www.bouncycastle.org/latest_releases.html
Comment 1 Alexander Bergmann 2019-10-09 06:27:36 UTC
openSUSE Leap is getting its updates from SUSE:SLE-15 and that version is still on 1.58.

Please prepare an update to version 1.64 including references to:

* bsc#1096291 - CVE-2018-1000180
* bsc#1100694 - CVE-2018-1000613
Comment 2 Pedro Monreal Gonzalez 2019-10-09 09:41:52 UTC
(In reply to Alexander Bergmann from comment #1)
> openSUSE Leap is getting its updates from SUSE:SLE-15 and that version is
> still on 1.58.
> 
> Please prepare an update to version 1.64 including references to:
> 
> * bsc#1096291 - CVE-2018-1000180
> * bsc#1100694 - CVE-2018-1000613

The vulnerable code was introduced in version 1.63 and fixed in version 1.64. I think these are the relevant commits for the fix:

   https://github.com/bcgit/bc-java/commit/33a8e4aa07b21a8bcf5a582446664485f5f081b2
   https://github.com/bcgit/bc-java/commit/b1bc75254f5fea633a49a751a1a7339056f97856
Comment 3 Pedro Monreal Gonzalez 2019-10-11 11:21:11 UTC
Factory submission:
   https://build.opensuse.org/request/show/737444
Comment 4 Pedro Monreal Gonzalez 2019-10-11 11:54:20 UTC
(In reply to Alexander Bergmann from comment #1)
> openSUSE Leap is getting its updates from SUSE:SLE-15 and that version is
> still on 1.58.

The vulnerable code was introduced in version 1.63 and fixed in version 1.64. I just updated to 1.64 in Factory. Non of the SLE packages are affected by this CVE and updating SLE-15 to 1.64 could introduce a couple of important changes in the functionality, see:

   https://www.bouncycastle.org/releasenotes.html

An update in SLE-15 would require an ECO. Do you mean to submit the update to SLE-15-SP2 so Leap could take the package from there?
Comment 5 Pedro Monreal Gonzalez 2020-04-29 14:25:23 UTC
Hi Alex, I just submitted an update in Leap 15.1 to version 1.60 for another bug, here:
   https://build.opensuse.org/request/show/798905

Is it OK if I update to 1.64 there, in Leap 15.1?
Comment 6 Pedro Monreal Gonzalez 2020-04-29 14:51:37 UTC
(In reply to Pedro Monreal Gonzalez from comment #5)
> Hi Alex, I just submitted an update in Leap 15.1 to version 1.60 for another
> bug, here:
>    https://build.opensuse.org/request/show/798905
> 
> Is it OK if I update to 1.64 there, in Leap 15.1?

Hmm, javamail is not available in Leap15.1...
Comment 7 Pedro Monreal Gonzalez 2020-07-28 18:36:49 UTC
The vulnerability was introduced in version 1.63 and fixed in 1.64. Since we do not ship version 1.63 in any codestream we are not affected by this bug.