Bug 2294868 (CVE-2024-34703) - CVE-2024-34703 botan: Denial of Service Due to Overly Large Elliptic Curve Parameters
Summary: CVE-2024-34703 botan: Denial of Service Due to Overly Large Elliptic Curve Pa...
Keywords:
Status: NEW
Alias: CVE-2024-34703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2294869 2294870 2295888 2295889
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-01 06:13 UTC by Mauro Matteo Cascella
Modified: 2024-07-25 11:58 UTC (History)
0 users

Fixed In Version: botan 3.3.0, botan 2.19.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2024-07-01 06:13:02 UTC 
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

References:
https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4
https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a
https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
Comment 1 Mauro Matteo Cascella 2024-07-01 06:13:21 UTC 
Created botan2 tracking bugs for this issue:

Affects: epel-all [bug 2294869]
Affects: fedora-all [bug 2294870]
Note You need to log in before you can comment on or make changes to this bug.