Bug 1118086 (CVE-2018-16869)

Summary: VUL-0: CVE-2018-16869: libnettle: nettle: Leaky data conversion exposing a manager oracle
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Pedro Monreal Gonzalez <pmonrealgonzalez>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pmonrealgonzalez, security-team, smash_bz, vcizek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/220022/
Whiteboard: CVSSv3:SUSE:CVE-2018-16869:5.3:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1118087    
Attachments: Patch for SLE-15

Description Marcus Meissner 2018-12-03 07:18:55 UTC 
rh#1654930

Nettle is vulnerable to leaky data conversion exposing a manager oracle.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1654930
Comment 1 Marcus Meissner 2018-12-03 07:23:51 UTC 
see bug 1117951 for the problem
Comment 2 Vítězslav Čížek 2018-12-03 15:40:05 UTC 
The yesterday's release of libnettle fixes the issue:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2018/007363.html
Comment 4 Pedro Monreal Gonzalez 2018-12-04 15:01:37 UTC 
Submitted to Factory:
https://build.opensuse.org/request/show/653877
Comment 5 Pedro Monreal Gonzalez 2018-12-14 15:03:08 UTC 
Created attachment 792748 [details]
Patch for SLE-15

Patch that contains the relevant commits from:
https://git.lysator.liu.se/nettle/nettle/tree/release-3.4-fixes

List of commits:
c2fa92f5 b2654704 0266a5e3 98e309be 9cbfde38 4c5a4472 f554a317 9d4c4836 36d4b664 
91da0846 bfda54ee c9a77562 245319f2 760dc943 01fa621a 8d38b6af 3f76113c af951c2d a287f1a9 eb4c86c4 f2bbbc28 dbaf6abb f9e3227f e6a16d16 898ce4be 07a31f84 6487ef7e 77bc04f8 128832dc 3170f3b4 1fe332ad
Comment 7 Swamp Workflow Management 2018-12-19 17:13:41 UTC 
SUSE-SU-2018:4193-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1118086
CVE References: CVE-2018-16869
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libnettle-3.4-4.3.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libnettle-3.4-4.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libnettle-3.4-4.3.1
Comment 8 Swamp Workflow Management 2018-12-22 23:13:10 UTC 
openSUSE-SU-2018:4260-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1118086
CVE References: CVE-2018-16869
Sources used:
openSUSE Leap 15.0 (src):    libnettle-3.4-lp150.3.3.1
Comment 9 Swamp Workflow Management 2019-02-03 09:50:49 UTC 
This is an autogenerated message for OBS integration:
This bug (1118086) was mentioned in
https://build.opensuse.org/request/show/670843 15.1 / libnettle
Comment 13 Marcus Meissner 2020-07-02 13:31:29 UTC 
Due to the difficult nature of fixing the older SLE12 nettle, and its uncommon usage in SLE12 , we are currently not planning to fix this for SLE12 and older.