AVG-18 log
| Package | crypto++ |
| Status | Fixed |
| Severity | Medium |
| Type | information disclosure |
| Affected | 5.6.4-2 |
| Fixed | 5.6.5-1 |
| Current | 8.9.0-2 [extra] |
| Ticket | FS#51331 |
| Created | Mon Sep 19 17:33:25 2016 |
| Issue | Severity | Remote | Type | Description |
|---|---|---|---|---|
| CVE-2016-7420 | Medium | No | Information disclosure | Crypto++ (aka cryptopp) through 5.6.4 does not document the requirement for a compile-time NDEBUG definition disabling the many assert calls that are... |
| Date | Advisory | Package | Type |
|---|---|---|---|
| 12 Oct 2016 | ASA-201610-8 | crypto++ | information disclosure |
| References |
|---|
https://github.com/weidai11/cryptopp/issues/277 http://www.openwall.com/lists/oss-security/2016/09/15/12 |
| Notes |
|---|
5.6.4-2: Apparently we weren't vulnerable in the first place, but this commit made us vulnerable two days after the disclosure: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/crypto%2b%2b&id=fc4dd81f39589eeb5bdb927587c0fbd2b41d47df 5.6.5-1: Fixed in 5.6.5 because they replaced assert() with CRYPTOPP_ASSERT(), which is not enabled by default even if -DNDEBUG is not set. |