1601096 – (CVE-2018-1000613) CVE-2018-1000613 bouncycastle: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information

Bug 1601096 (CVE-2018-1000613) - CVE-2018-1000613 bouncycastle: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information

Summary: CVE-2018-1000613 bouncycastle: lack of class checking in deserialization of X...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-1000613
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1601099 1601098 1700961
Blocks:	1601100
TreeView+	depends on / blocked

Reported:	2018-07-13 21:01 UTC by Laura Pardo
Modified:	2021-02-16 23:59 UTC (History)
CC List:	46 users (show)
Fixed In Version:	bouncycastle 1.60
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-31 07:18:19 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-07-13 21:01:28 UTC

A flaw was found in Legion of the Bouncy Castle Java Cryptography APIs version prior to 1.60. A lack of class checking in the deserialization of XMSS/XMSS^MT private keys with BDS state information can result in the execution of unexpected code.


References:
https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574 	
https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc

Comment 1 Laura Pardo 2018-07-13 21:02:20 UTC

Created bouncycastle tracking bugs for this issue:

Affects: epel-all [bug 1601099]
Affects: fedora-all [bug 1601098]

Comment 2 Doran Moppert 2018-07-16 01:21:09 UTC

Statement:

The XMSS/XMSS^MT algorithms were first introduced in upstream bouncycastle version 1.57.  Versions prior to this, that have not had the new algorithms back-ported, are not affected.

Comment 9 Product Security DevOps Team 2019-07-31 07:18:19 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1000613

Note You need to log in before you can comment on or make changes to this bug.

bcourt
bkearney
bmaxwell
bmcclain
cbillett
cdewolf
chazlett
csutherl
darran.lofthouse
dblechte
dfediuck
dimitris
dosoudil
drieden
eedri
hhorak
jawilson
jjohnstn
jolee
jorton
jschatte
jshepherd
jstastny
lgao
mgoldboi
michal.skrivanek
mmccune
myarboro
ohadlevy
pgier
psakar
pslavice
psotirop
puntogil
rchan
rgrunber
rjerrido
rnetuka
rsvoboda
sbonazzo
sherold
steve.traylen
tomckay
twalsh
vhalbert
vtunka