CVE-2017-2801 in Ubuntu

CVE-2017-2801

Priority

Description

A programming error exists in a way Randombit Botan cryptographic library
version 2.0.1 implements x500 string comparisons which could lead to
certificate verification issues and abuse. A specially crafted X509
certificate would need to be delivered to the client or server application
in order to trigger this vulnerability.

Ubuntu-Description

It was discovered that Botan did not properly manage x509 DN strings
comparisons when provided with a specially crafted X509 certificate. An
attacker could possibly use this issue to cause out of bound reads,
resulting in information leakage, denial of service, or potentially
incorrect certificate validation results.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2801
https://github.com/randombit/botan/commit/c927101675e5f63fc0bdd93c5a4825adc54323b4 (1.10.16)

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860072

Notes

Package

Source: botan1.10 (LP Ubuntu Debian)

Upstream:	released (1.10.16-1)
Ubuntu 18.04 LTS:	not-affected (1.10.16-1)
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

More Information

Updated: 2022-04-25 00:20:41 UTC (commit ecc1009cb19540b950de59270950018900f37f15)