1212112 – (CVE-2023-36660) VUL-0: CVE-2023-36660: libnettle: the new OCB code may be exploitable due to memory corruption

Bug 1212112 (CVE-2023-36660) - VUL-0: CVE-2023-36660: libnettle: the new OCB code may be exploitable due to memory corruption

Summary: VUL-0: CVE-2023-36660: libnettle: the new OCB code may be exploitable due to ...

Status:	RESOLVED FIXED
Duplicates (1):	1212708 (view as bug list)

Alias:	CVE-2023-36660

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/368752/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-07 15:45 UTC by Gianluca Gabrielli
Modified:	2024-05-14 14:53 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2023-06-07 15:45:27 UTC

From the v3.9.1 changelog [0].

This is a bugfix release, fixing a few bugs reported for Nettle-3.9. The bug in the new OCB code may be exploitable for denial of service or worse, since triggering it leads to memory corruption. Upgrading from Nettle-3.9 to the new version is strongly recommended.


[0] https://git.lysator.liu.se/nettle/nettle/-/commit/65c0053d089178b93bac2827651649750d1724d1

Comment 1 Gianluca Gabrielli 2023-06-07 15:47:16 UTC

There are only 3 commits from v3.9 and v3.9.1. I guess the fixing commit is 867a4548b95705291a3afdd66d76e7f17ba2618f [0].


[0] https://git.lysator.liu.se/nettle/nettle/-/commit/867a4548b95705291a3afdd66d76e7f17ba2618f.patch

Comment 2 Pedro Monreal Gonzalez 2023-06-08 07:01:42 UTC

The OCB mode was introduced in libnettle 3.9 and no SLE version has this implementation. So, only Factory affected. It was submitted here:
   * https://build.opensuse.org/request/show/1091203

I'll add this bug number in the changelog for tracking purposes. Is there a CVE number assigned to this?

Comment 3 Pedro Monreal Gonzalez 2023-06-08 09:29:57 UTC

Factory submission: https://build.opensuse.org/request/show/1091398

Comment 4 Gianluca Gabrielli 2023-06-09 06:08:11 UTC

(In reply to Pedro Monreal Gonzalez from comment #2)
> I'll add this bug number in the changelog for tracking purposes. Is there a
> CVE number assigned to this?

I filed a request with mitre, I will update this bug with the CVE ID once assigned.

Comment 5 Pedro Monreal Gonzalez 2023-06-26 07:50:29 UTC

The CVE-2023-36660 has been assigned to this bug, see bsc#1212708. I'll mention this in the Factory changelog entry. Please, close the other bug as duplicate and adapt this one. TIA.

Comment 6 Pedro Monreal Gonzalez 2023-06-26 08:12:12 UTC

(In reply to Pedro Monreal Gonzalez from comment #5)
> The CVE-2023-36660 has been assigned to this bug, see bsc#1212708. I'll
> mention this in the Factory changelog entry. Please, close the other bug as
> duplicate and adapt this one. TIA.

Submitted to Factory here: https://build.opensuse.org/request/show/1095348

Comment 7 Pedro Monreal Gonzalez 2023-06-26 08:13:08 UTC

All submitted, assigning back to security-team.

Comment 8 Carlos López 2023-06-26 08:26:59 UTC

*** Bug 1212708 has been marked as a duplicate of this bug. ***

Comment 9 Pedro Monreal Gonzalez 2023-06-26 08:30:45 UTC

ALP submission: https://build.suse.de/request/show/302133

Comment 11 Robert Frohl 2024-05-14 14:53:46 UTC

done, closing