AVG-18

Package crypto++
Status Fixed
Severity Medium
Type information disclosure
Affected 5.6.4-2
Fixed 5.6.5-1
Current 6.0.0-2 [community]
Ticket FS#51331
Created Mon Sep 19 17:33:25 2016
Issue Severity Remote Type Description
CVE-2016-7420 Medium No Information disclosure
Crypto++ (aka cryptopp) through 5.6.4 does not document the requirement for a compile-time NDEBUG definition disabling the many assert calls that are...
Date Advisory Package Description
12 Oct 2016 ASA-201610-8 crypto++ information disclosure
References
https://github.com/weidai11/cryptopp/issues/277
http://www.openwall.com/lists/oss-security/2016/09/15/12
Notes
5.6.4-2: Apparently we weren't vulnerable in the first place, but this commit made us vulnerable two days after the disclosure: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/crypto%2b%2b&id=fc4dd81f39589eeb5bdb927587c0fbd2b41d47df

5.6.5-1: Fixed in 5.6.5 because they replaced assert() with CRYPTOPP_ASSERT(), which is not enabled by default even if -DNDEBUG is not set.