Advisories » MGASA-2017-0010

Updated libcryptopp packages fix security vulnerability

Publication date: 07 Jan 2017
Modification date: 07 Jan 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-9939

Description

When Crypto++ library parses an ASN.1 data value, the library allocates
for the content octets based on the length octets. Later, if there's too
few or too little content octets, the library throws a BERDecodeErr
exception. The memory for the content octets will be zeroized (even if
unused), which could take a long time on a large allocation
(CVE-2016-9939).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19937
• http://www.openwall.com/lists/oss-security/2016/12/12/7
• https://github.com/weidai11/cryptopp/issues/346
• https://www.debian.org/security/2016/dsa-3748
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9939

SRPMS

5/core

• libcryptopp-5.6.3-1.3.mga5