[Pkg-openssl-devel] Bug#1071972: openssl: CVE-2024-4603

Salvatore Bonaccorso carnil at debian.org
Sun May 26 19:53:04 BST 2024 

Source: openssl
Version: 3.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for openssl.

In avoidance of doupt, no DSA is needed, filling the bug for BTS
tracking and it can simply be fixed in the next round of rebasing
openssl (IMHO).

CVE-2024-4603[0]:
| Issue summary: Checking excessively long DSA keys or parameters may
| be very slow.  Impact summary: Applications that use the functions
| EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA
| public key or DSA parameters may experience long delays. Where the
| key or parameters that are being checked have been obtained from an
| untrusted source this may lead to a Denial of Service.  The
| functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform
| various checks on DSA parameters. Some of those computations take a
| long time if the modulus (`p` parameter) is too large.  Trying to
| use a very large modulus is slow and OpenSSL will not allow using
| public keys with a modulus which is over 10,000 bits in length for
| signature verification. However the key and parameter check
| functions do not limit the modulus size when performing the checks.
| An application that calls EVP_PKEY_param_check() or
| EVP_PKEY_public_check() and supplies a key or parameters obtained
| from an untrusted source could be vulnerable to a Denial of Service
| attack.  These functions are not called by OpenSSL itself on
| untrusted DSA keys so only applications that directly call these
| functions may be vulnerable.  Also vulnerable are the OpenSSL pkey
| and pkeyparam command line applications when using the `-check`
| option.  The OpenSSL SSL/TLS implementation is not affected by this
| issue.  The OpenSSL 3.0 and 3.1 FIPS providers are affected by this
| issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-4603
    https://www.cve.org/CVERecord?id=CVE-2024-4603
[1] https://www.openssl.org/news/secadv/20240516.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-openssl-devel mailing list