Bug 1209030 (CVE-2023-24532) - VUL-0: CVE-2023-24532: go1.19,go1.20: crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results
Summary: VUL-0: CVE-2023-24532: go1.19,go1.20: crypto/elliptic: incorrect P-256 Scalar...
Status: RESOLVED FIXED
Alias: CVE-2023-24532
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/359504/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-24532:7.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-08 00:01 UTC by Jeff Kowalczyk
Modified: 2024-05-06 08:23 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2023-03-08 00:01:09 UTC 
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve).

This does not impact usages of crypto/ecdsa or crypto/ecdh.

Thanks to Guido Vranken for repoting this issue via the Ethereum Foundation bug bounty program.

This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.
Comment 1 OBSbugzilla Bot 2023-03-08 08:25:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1209030) was mentioned in
https://build.opensuse.org/request/show/1070082 Factory / go1.19
https://build.opensuse.org/request/show/1070083 Factory / go1.20
Comment 2 Cathy Hu 2023-03-08 09:46:43 UTC 
We also have go1.19 and go1.20 in SUSE:SLE-15:Update, will track them as affected
Comment 4 Maintenance Automation 2023-03-14 20:30:05 UTC 
SUSE-SU-2023:0735-1: An update that solves five vulnerabilities, contains one feature and has one fix can now be installed.

Category: security (important)
Bug References: 1206346, 1208269, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Jira References: PED-1962
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.2-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.20-1.20.2-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-03-14 20:30:13 UTC 
SUSE-SU-2023:0733-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1200441, 1208269, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Sources used:
openSUSE Leap 15.4 (src): go1.19-1.19.7-150000.1.23.1
Development Tools Module 15-SP4 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): go1.19-1.19.7-150000.1.23.1
SUSE Enterprise Storage 7.1 (src): go1.19-1.19.7-150000.1.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-03-22 16:30:04 UTC 
SUSE-SU-2023:0871-1: An update that solves five vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1200441, 1206134, 1208270, 1208271, 1208272, 1209030
CVE References: CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532
Sources used:
Containers Module 15-SP4 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Enterprise Storage 7.1 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE Enterprise Storage 7 (src): container-suseconnect-2.4.0-150000.4.24.1
SUSE CaaS Platform 4.0 (src): container-suseconnect-2.4.0-150000.4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Robert Frohl 2024-05-06 08:23:10 UTC 
done, closing