CVE-2016-6129

NameCVE-2016-6129
DescriptionThe rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-612-1
Debian Bugs837042

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libtomcrypt (PTS)jessie, jessie (lts)1.17-6+deb8u1vulnerable
stretch1.17-9fixed
buster1.18.2-1fixed
bullseye1.18.2-5fixed
bookworm1.18.2-6fixed
sid, trixie1.18.2+dfsg-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libtomcryptsourcewheezy1.17-3.2+deb7u1DLA-612-1
libtomcryptsource(unstable)1.17-8837042

Notes

[jessie] - libtomcrypt <no-dsa> (Minor issue)
https://github.com/OP-TEE/optee_os/commit/30d13250c390c4f56adefdcd3b64b7cc672f9fe2
libtomcrypt ship the corresponding patch in
https://github.com/libtom/libtomcrypt/commit/5eb9743410ce4657e9d54fef26a2ee31a1b5dd09
The CVE is originally assigend to OP-TEE, but the underlying issue seems to be in
libtomcrypt, thus keep that source package as well for now associated.
Search for package or bug name: Reporting problems