Bug 1218222 (CVE-2023-50981) - VUL-0: CVE-2023-50981: libcryptopp: issue on ModularSquareRoot function leads to potential DoS
Summary: VUL-0: CVE-2023-50981: libcryptopp: issue on ModularSquareRoot function leads...
Status: IN_PROGRESS
Alias: CVE-2023-50981
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/388516/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-50981:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-19 15:01 UTC by SMASH SMASH
Modified: 2024-05-22 10:27 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-12-19 15:01:16 UTC 
ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (infinite loop) via crafted DER public-key data associated with squared odd numbers, such as the square of 268995137513890432434389773128616504853.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-50981
https://github.com/weidai11/cryptopp/issues/1249
Comment 2 Petr Gajdos 2024-01-04 10:07:30 UTC 
Reporter provided a pull request:
https://github.com/weidai11/cryptopp/pull/1255

TW submit request:
https://build.opensuse.org/request/show/1136759

Also submitted for 15,15sp4/libcryptopp.
Comment 7 Maintenance Automation 2024-01-18 20:30:21 UTC 
SUSE-SU-2024:0157-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218222
CVE References: CVE-2023-50981
Sources used:
openSUSE Leap 15.4 (src): libcryptopp-8.6.0-150400.3.6.1
openSUSE Leap 15.5 (src): libcryptopp-8.6.0-150400.3.6.1
Basesystem Module 15-SP5 (src): libcryptopp-8.6.0-150400.3.6.1
SUSE Linux Enterprise Real Time 15 SP4 (src): libcryptopp-8.6.0-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Petr Gajdos 2024-05-16 06:00:34 UTC 
SUSE:SFFO:Main
https://build.suse.de/request/show/330342
SUSE:ALP:Source:Standard:1.0
https://build.suse.de/request/show/330340
Comment 11 Petr Gajdos 2024-05-17 12:44:14 UTC 
(In reply to Petr Gajdos from comment #10)
> SUSE:SFFO:Main
> https://build.suse.de/request/show/330342
> SUSE:ALP:Source:Standard:1.0
> https://build.suse.de/request/show/330340

Now 330340 was declined because:

Moved to SUSE:SLFO:Main with request https://build.suse.de/request/show/330342 

I do not understand it, I thought I should have submitted both into ALP and SFFO.
Comment 12 Petr Gajdos 2024-05-17 12:45:41 UTC 
(see comment 9)
Comment 13 Marcus Meissner 2024-05-17 12:48:39 UTC 
We need to find out where the submissions go for SLE Micro 6 fixes.

If yes, we still need 330342.

please wait some hours.
Comment 14 Petr Gajdos 2024-05-17 12:57:35 UTC 
Ok then, thanks. Will not touch it in any way until asked.
Comment 15 Petr Gajdos 2024-05-17 12:58:28 UTC 
SUSE:SFFO:Main
https://build.suse.de/request/show/330342
SUSE:ALP:Source:Standard:1.0
https://build.suse.de/request/show/330340

(just to have it as the first comment again)
Comment 16 Petr Gajdos 2024-05-22 10:24:26 UTC 
(In reply to Petr Gajdos from comment #15)
> SUSE:ALP:Source:Standard:1.0
> https://build.suse.de/request/show/330340

Reopened.