CVE-2024-28285

NameCVE-2024-28285
DescriptionA Fault Injection vulnerability in the SymmetricDecrypt function in cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to co-reside in the same system with a victim process to disclose information and escalate privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1077684

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcrypto++ (PTS)jessie, jessie (lts)5.6.1-6+deb8u3vulnerable
stretch5.6.4-7vulnerable
buster5.6.4-8vulnerable
bullseye8.4.0-1vulnerable
bookworm8.7.0+git220824-1vulnerable
sid, trixie8.9.0-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcrypto++sourcejessie(unfixed)end-of-life
libcrypto++source(unstable)(unfixed)1077684

Notes

[bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <postponed> (Minor issue; can be fixed in next update)
https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1
https://github.com/weidai11/cryptopp/issues/1262
[stretch] - libcrypto++ <postponed> (Minor issue; can be fixed in next update)
Search for package or bug name: Reporting problems