Fabre

#1059309 libcrypto++: CVE-2022-48570 #1059309

Package:: src:libcrypto++

Source:: src:libcrypto++

Submitter:: Moritz Mühlenhoff

Date:: 2023-12-22 20:09:42 UTC

Severity:: normal

Tags:

#1059309#5

Date:: 2023-12-22 13:35:57 UTC

From:

To:

Hi,

The following vulnerability was published for libcrypto++.

CVE-2022-48570[0]:
| Crypto++ through 8.4 contains a timing side channel in ECDSA
| signature generation. Function FixedSizeAllocatorWithCleanup could
| write to memory outside of the allocation if the allocated memory
| was not 16-byte aligned. NOTE: this issue exists because the
| CVE-2019-14318 fix was intentionally removed for functionality
| reasons.

https://github.com/weidai11/cryptopp/issues/992


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-48570
https://www.cve.org/CVERecord?id=CVE-2022-48570

Please adjust the affected versions in the BTS as needed.

#1059309 libcrypto++: CVE-2022-48570 #1059309

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)