PublicDateAtUSN: 2018-06-04
Candidate: CVE-2016-1000342
PublicDate: 2018-06-04 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342
 https://ubuntu.com/security/notices/USN-3727-1
Description:
 In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not
 fully validate ASN.1 encoding of signature on verification. It is possible
 to inject extra elements in the sequence making up the signature and still
 have it validate, which in some cases may allow the introduction of
 'invisible' data into a signed structure.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_bouncycastle:
 upstream: https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647
upstream_bouncycastle: released (1.56-1)
precise/esm_bouncycastle: DNE
trusty_bouncycastle: released (1.49+dfsg-2ubuntu0.1)
trusty/esm_bouncycastle: DNE (trusty was released [1.49+dfsg-2ubuntu0.1])
xenial_bouncycastle: ignored (end of standard support, was needed)
artful_bouncycastle: not-affected (1.57-1)
bionic_bouncycastle: not-affected (1.59-1)
cosmic_bouncycastle: not-affected (1.60-1)
disco_bouncycastle: not-affected (1.60-1)
eoan_bouncycastle: not-affected (1.60-1)
focal_bouncycastle: not-affected (1.60-1)
groovy_bouncycastle: not-affected (1.60-1)
hirsute_bouncycastle: not-affected (1.60-1)
impish_bouncycastle: not-affected (1.60-1)
jammy_bouncycastle: not-affected (1.60-1)
devel_bouncycastle: not-affected (1.60-1)