[Mono-bugs] [Bug 647493] CVE-2007-5197 not actually fixed, BigInteger unsafe code overflow remains in all versions incl git master

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Mon Oct 18 16:30:11 EDT 2010


https://bugzilla.novell.com/show_bug.cgi?id=647493

https://bugzilla.novell.com/show_bug.cgi?id=647493#c1


Sebastien Pouliot <spouliot at novell.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |CLOSED
              Group|novellonly                  |
      CC Accessible|1                           |0
                 CC|                            |spouliot at novell.com
         Resolution|                            |INVALID
           Reporter|1                           |0
         Accessible|                            |

--- Comment #1 from Sebastien Pouliot <spouliot at novell.com> 2010-10-18 20:30:10 UTC ---
Please check your facts (and wires ;-)

1. I'm 99% certain that the issue was found when Mono 1.2.5 was current and
1.2.5.1 was released with a fix (sadly there's no release notes but 1.2.5.2 was
for another vulnerability). I'd be happy if you could prove me wrong and no the
CVE web page is not a proof ;-) but a typo.

2. This is not the first time that the solution was explained (to debian
maintainers) but here it is again:

the internal, inner (non-user accessible) Montgomery class is not used by
BigInteger (i.e. you can remove it and compile mono, it's DEAD code) nor
anywhere else. This is why the above patch is unneeded (i.e. it was fixed by
using another implementation for Pow).

So:
1. use upstream mono
2. avoid useless, untested, patches - because, you know, they can randomly bite
you...


Now I'll remove the dead code because I never had time to fix the bug which
made me switch away from (the faster) Montgomery algorithm - and it was
unrelated to the vulnerability. Hopefully this will remove any potential
confusion (and useless, untested patches ;-).


If you find any security issue please read
http://en.wikipedia.org/wiki/Responsible_disclosure and use the contact form on
the first link you mentioned.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.


More information about the mono-bugs mailing list