Bugzilla – Bug 1227607
VUL-0: CVE-2024-34702: Botan: Assymetric resource consumption
Last modified: 2024-07-17 13:33:07 UTC
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service. The problem has been addressed in Botan 3.5.0 and a partial backport has also been applied and is included in Botan 2.19.5. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34702 https://www.cve.org/CVERecord?id=CVE-2024-34702 https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1 https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41 https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8 https://github.com/randombit/botan/pull/4034 https://github.com/randombit/botan/pull/4045 https://github.com/randombit/botan/pull/4047 https://github.com/randombit/botan/pull/4052 https://github.com/randombit/botan/pull/4186 https://github.com/randombit/botan/pull/4187 https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j https://bugzilla.redhat.com/show_bug.cgi?id=2296351
I think SUSE:SLE-12:Update/Botan is affected. However, the code changed quite a bit back then. The safer choice could be to apply the workaround in the advisory [0]. Also affected: - openSUSE:Backports:SLE-15-SP5 - openSUSE:Backports:SLE-15-SP6 - openSUSE:Factory [0] https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j
The official fix ( backported to 2.19.5 ) has been submitted to Facotry and Backports. Unfortunately, SUSE:SLE-12:Update/Botan ships an extremely outdated version of Botan ( 1.10 ) and it is not supported. Backporting these fixes does not seem feasible, so we'll have to go with the workaround in the advisory.
This is an autogenerated message for OBS integration: This bug (1227607) was mentioned in https://build.opensuse.org/request/show/1187488 Backports:SLE-15-SP5 / Botan https://build.opensuse.org/request/show/1187501 Backports:SLE-15-SP6 / Botan
openSUSE-SU-2024:0201-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1227238,1227607,1227608 CVE References: CVE-2024-34702,CVE-2024-34703,CVE-2024-39312 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): Botan-2.19.5-bp155.2.3.1
Updated to 2.19.5 with fixes for this and related CVEs in processing of constraints in certificates.