Bug 2257571 (CVE-2023-6129) - CVE-2023-6129 mysql: openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC
Summary: CVE-2023-6129 mysql: openssl: POLY1305 MAC implementation corrupts vector reg...
Keywords:
Status: NEW
Alias: CVE-2023-6129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2257574 2257575 2257576 2275460 2275461 2257573
Blocks: 2257577 2275454
TreeView+ depends on / blocked
 
Reported: 2024-01-10 05:01 UTC by TEJ RATHI
Modified: 2024-04-30 10:52 UTC (History)
38 users (show)

Fixed In Version: OpenSSL 3.0, OpenSSL 3.1, OpenSSL 3.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in in the POLY1305 MAC (message authentication code) implementation in OpenSSL, affecting applications running on PowerPC CPU-based platforms that utilize vector instructions, and has the potential to corrupt the internal state of these applications. If an attacker can manipulate the utilization of the POLY1305 MAC algorithm, it may lead to the corruption of the application state, resulting in various application-dependent consequences, often resulting in a crash and leading to a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2447 0 None None None 2024-04-30 10:52:21 UTC

Description TEJ RATHI 2024-01-10 05:01:06 UTC 
The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.

OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to this issue. 
The FIPS provider is not affected because the POLY1305 MAC algorithm is not FIPS approved and the FIPS provider does not implement it.

OpenSSL versions 1.1.1 and 1.0.2 are not affected by this issue.

http://www.openwall.com/lists/oss-security/2024/01/09/1
https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35
https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04
https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015
https://www.openssl.org/news/secadv/20240109.txt
Comment 1 TEJ RATHI 2024-01-10 05:40:44 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 2257574]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 2257575]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2257576]


Created openssl3 tracking bugs for this issue:

Affects: epel-all [bug 2257573]
Comment 5 Mauro Matteo Cascella 2024-04-17 09:28:03 UTC 
Created mysql8.0 tracking bugs for this issue:

Affects: fedora-all [bug 2275461]
Comment 7 errata-xmlrpc 2024-04-30 10:52:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2447 https://access.redhat.com/errata/RHSA-2024:2447
Note You need to log in before you can comment on or make changes to this bug.