I spent a long time trying to understand what happened with this CVE. - upstream's first attempt at a fix, which misses fixing "leak on binary fields (EC2N class)": https://github.com/weidai11/cryptopp/issues/869 - it also introduced a regression, so besides an incomplete fix, it introduces a bug
- three regressions were filed upstream: - https://github.com/weidai11/cryptopp/issues/994 - https://github.com/weidai11/cryptopp/issues/1269 (this last one specifically about the library on ubuntu) - https://github.com/weidai11/cryptopp/issues/878 - we also have 3 launchpad bugs about this: #2064751 (this one), #2060564, and #1893934. Shouldn't all of these be mentioned in the changelog? Then it gets confusing. I'm finding multiple references across all these bugs about either a revert, or a partial revert, or a revert plus a fix elsewhere (specially when they mention version 8.3.0). In https://github.com/weidai11/cryptopp/issues/878#issuecomment-753375057, there is a commit range: https://github.com/weidai11/cryptopp/compare/38cff9aa59f299f7d1e802e614edc205ee2965fb...5dfc7e1c27d2d3225257f1458f0a5b3e623d08e7 Is that the same as reverting the original CVE fix? Is there any option to actually fixing the CVE in 5.6.4? The proposal here is plainly reverting the patch added in 5.6.4-9, which will reintroduce the CVE, correct? ** Bug watch added: github.com/weidai11/cryptopp/issues #869 https://github.com/weidai11/cryptopp/issues/869 ** Bug watch added: github.com/weidai11/cryptopp/issues #994 https://github.com/weidai11/cryptopp/issues/994 ** Bug watch added: github.com/weidai11/cryptopp/issues #1269 https://github.com/weidai11/cryptopp/issues/1269 ** Bug watch added: github.com/weidai11/cryptopp/issues #878 https://github.com/weidai11/cryptopp/issues/878 ** Changed in: libcrypto++ (Ubuntu Focal) Status: Fix Committed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
