CVE-2016-6129

The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
op-teeop-tee_os
𝑥
≤ 2.1.0
libtomlibtomcrypt
𝑥
≤ 1.17
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libtomcrypt
bullseye
1.18.2-5
fixed
jessie
no-dsa
bookworm
1.18.2-6
fixed
sid
1.18.2+dfsg-7
fixed
trixie
1.18.2+dfsg-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libtomcrypt
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
Fixed 1.17-7ubuntu0.1
released
trusty
Fixed 1.17-5ubuntu0.1
released
precise
Fixed 1.17-3.2+deb7u1ubuntu0.1
released
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1370955
https://github.com/libtom/libtomcrypt/commit/5eb9743410ce4657e9d54fef26a2ee31a1b5dd0
https://www.op-tee.org/advisories/
https://bugzilla.redhat.com/show_bug.cgi?id=1370955
https://github.com/libtom/libtomcrypt/commit/5eb9743410ce4657e9d54fef26a2ee31a1b5dd0
https://www.op-tee.org/advisories/