CVE-2016-9939

Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER decoding routine. The library will allocate a memory block based on the length field of the ASN.1 object. If there is not enough content octets in the ASN.1 object, then the function will fail and the memory block will be zeroed even if its unused. There is a noticeable delay during the wipe for a large allocation.

References

Affected packages

Debian:11 / libcrypto++

Package

Name: libcrypto++
Purl: pkg:deb/debian/libcrypto%2B%2B?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.4-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libcrypto++

Package

Name: libcrypto++
Purl: pkg:deb/debian/libcrypto%2B%2B?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.4-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libcrypto++

Package

Name: libcrypto++
Purl: pkg:deb/debian/libcrypto%2B%2B?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.4-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/weidai11/cryptopp

Affected ranges

Type: GIT
Repo: https://github.com/weidai11/cryptopp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

4132d85888ac6c30729f58bb442a4a26a5b16cfe

Affected versions

Other

CRYPTOPP_5_0

CRYPTOPP_5_1

CRYPTOPP_5_2

CRYPTOPP_5_2_1

CRYPTOPP_5_2_3

CRYPTOPP_5_3_0

CRYPTOPP_5_4

CRYPTOPP_5_5

CRYPTOPP_5_5_1

CRYPTOPP_5_5_2

CRYPTOPP_5_6_0

CRYPTOPP_5_6_1

CRYPTOPP_5_6_2

CRYPTOPP_5_6_3

CRYPTOPP_5_6_4