FYI... We sent this to oss-security, various security teams and our
---------- Forwarded message ----------
From: Jeffrey Walton <noloa...@gmail.com>
Date: Mon, Sep 19, 2016 at 10:32 AM
Subject: CVE-2016-7420 (Info Disclosure due to assert), Crypto++ and
down level remediation
Crypto++ 5.6.5 will be released within a month or so to remediate the
information disclosure from CVE-2016-742. Distros will need to patch
Crypto++ 5.6.4 and below. The following provides more information and
procedures we recommend for down level Crypto++.
We re-engineered the "debugging and diagnostic" support area because
documenting the behaviors did *not* reduce the risk; rather it simply
moved the blame around. You can see the staged changes at
We believe the best course of action for a distro is to render the
asserts inert in Crypto++ 5.6.4 and below because they are expected to
be removed by NDEBUG. However a simple sed and 's|<exp>||g' won't
work as expected.
If you have any problems or questions, then please email me or call
me. My cell number is <redacted>. My home number is
<redacted>. Distros get special treatment because they are so
important to the ecosystem.
My apologies for the inconvenience and trouble this has caused.
To remediate CVE-2016-7420 in Crypto++ 5.6.4 and below, perform the following.
1. Crypto++ 5.6.2 and below (Crypto++ 5.6.4 and 5.6.3 has it, so skip
(a) Add CRYPTOPP_UNSED macro to config.h
#define CRYPTOPP_UNSED(x) ((void)(x))
2. Change every assert() to CRYPTOPP_UNUSED()
(a) replace en masse
(b) find with sed or grep and 'assert[[:space:]]*('
3. Verify changes
(a) cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
(b) should only see compile-time assert
4. Test changes
(a) 'make clean && make -j 4'
(b) './cryptest.exe v'
5. Update the package
(a) rebuild the library and package it
- all asserts rendered inert
(b) rebuild all dependent packages
- asserts in Crypto++ headers could cross-pollinate
Procedures performed on Crypto++ 5.6.2:
$ git clone https://github.com/weidai11/cryptopp cryptopp-assert
$ cd cryptopp-assert
$ git checkout CRYPTOPP_5_6_2
# Step 1 (Add)
$ echo "#define CRYPTOPP_UNUSED(x) ((void)(x))" >> config.h
# Step 2 (Replace)
$ sed -i "" 's|assert[[:space:]]*(|CRYPTOPP_UNUSED(|g' *.h *.cpp
# Step 3 (Verify)
$ cat *.h *.cpp | egrep -v '(<|>|//)' | grep assert
#define CRYPTOPP_COMPILE_ASSERT_INSTANCE(assertion, instance)
# Step 4 (Test)
$ make clean && make -j 4
$ ./cryptest.exe v # Tail should report no failures
# Step 5 (Repackage)
You received this message because you are subscribed to the "Crypto++ Users"
To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com.
More information about Crypto++ and this group is available at
You received this message because you are subscribed to the Google Groups
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.