Re: matrixssl

To: Brian May <bam@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: matrixssl
From: Ola Lundqvist <ola@inguza.com>
Date: Wed, 10 Aug 2016 12:15:22 +0200
Message-id: <[🔎] CABY6=0m6hkH3FpnADKyD+2kaAEUZYpPx5gkVBWeNfj4y1_SYUw@mail.gmail.com>
In-reply-to: <[🔎] 87fuqd81ji.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87inv9821q.fsf@prune.linuxpenguins.xyz> <[🔎] 87fuqd81ji.fsf@prune.linuxpenguins.xyz>

Hi Brian

After some investigation I found the fix here:
https://github.com/matrixssl/matrixssl/commit/57d20a6e85a9cd570884aba686368dd77511d866

This is a very large commit but from
https://blog.fuzzing-project.org/51-Fun-with-Bignums-Crashing-MatrixSSL-and-more.html
it looks like it is the following files that were updated:
- crypto/math/pstm.c
- crypto/pubkey/dh.c
- crypto/pubkey/rsa.c

I hope this helps.

Best regards

// Ola


// Ola

On Wed, Aug 10, 2016 at 10:34 AM, Brian May <bam@debian.org> wrote:
> Brian May <brian@linuxpenguins.xyz> writes:
>
>> Had a quick look at the matrixssl security vulnerability.
>>
>> Unfortunately, finding it difficult to work out which of the upstream
>> changes fixes this.
>
> Was meaning to be more informative here, unfortunately the train I was
> travelling on unexpectedly terminated prematurely.
>
> Here is a complete list of changes in the upstream git:
>
> 866749e (tag: 3-8-4-open) MatrixSSL 3.8.4
> 458806d MatrixSSL 3.8.4
> a85d4a8 MatrixSSL 3.8.4
> 6db319d MatrixSSL 3.8.4
> 57d20a6 MatrixSSL 3.8.4
> 7a254a8 compile stub main if USE_DTLS not defined
> 833e289 added PDF doc
> 5d849c6 kramdown compatibility
> d6e5786 coverity analyzer fixes
> c4ff9f9 clang analyzer fixes
> 27c76c7 Coverity scan fixes
> 855a6d7 Coverity scan fixes
> 5ca20e1 Coverity scan fixes
> 464b9af GPLv2
> ac16cf8 Coverity scan fixes
> b7583a1 Added badges
> de55a7f Attribution
> a90e925 (tag: 3-8-3-open) MatrixSSL 3.8.3 Open
> 3240fb3 MatrixSSL 3.8.3 Open
> 699247e MatrixSSL 3.8.3 Open
> d219831 MatrixSSL 3.8.3 Open
> 08d42f4 MatrixSSL 3.8.3 Open
> 591a069 MatrixSSL 3.8.3 Open
> 825dcb0 Added xcode files.
> 7e6c0a9 MatrixSSL 3.8.3 Open
> 5b09e8e MatrixSSL 3.8.3 Open
> 2a11588 comment change
> ab51aef Update for latest 3.7.2a release
> 9d383e1 New release of MatrixSSL 3.7.2
> 258ee61 Update image url
> 21a95e0 Added logo
> 1dfc3fe Update README.md
> --
> Brian May <bam@debian.org>
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: matrixssl
  - From: Brian May <bam@debian.org>

References:
- matrixssl
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: matrixssl
  - From: Brian May <bam@debian.org>

Prev by Date: Re: matrixssl
Next by Date: Re: [SECURITY] [DLA 588-2] mongodb security update
Previous by thread: Re: matrixssl
Next by thread: Re: matrixssl
Index(es):
- Date
- Thread