Bug 908425 (CVE-2013-1622) - CVE-2013-1622 polarssl: improper MAC check if sanity check fails leads to DoS
Summary: CVE-2013-1622 polarssl: improper MAC check if sanity check fails leads to DoS
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-1622
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 907982
Blocks: 907592
TreeView+ depends on / blocked
 
Reported: 2013-02-06 16:49 UTC by Vincent Danen
Modified: 2019-09-29 13:00 UTC (History)
1 user (show)

Fixed In Version: polarssl 1.2.5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-28 01:20:59 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2013-02-06 16:49:04 UTC
In addition to the fix for CVE-2013-0169, PolarSSL 1.2.5 corrects the following problem:

"PolarSSL ... it does not perform any MAC check if this
sanity check fails, but instead exits immediately. This would
render the implementation vulnerable to a simple timing-based
distinguishing attack." (requires a non-default configuration with
"TLS alert messages when decryption errors are encountered")

Comment 1 Vincent Danen 2013-02-06 16:51:23 UTC
Created polarssl tracking bugs for this issue

Affects: fedora-all [bug 907982]

Comment 2 Mads Kiilerich 2013-02-28 01:20:59 UTC
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1622 says
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: none.
Reason: This candidate is not a security issue. Further investigation showed that, because of RFC noncompliance, no version or configuration of the product had the vulnerability previously associated with this ID.
Notes: none.


Note You need to log in before you can comment on or make changes to this bug.