Hi Everyone, We took a documentation bug, and it lead to CVE-2010-4179. The Crypto++ documentation bug is documented at https://github.com/weidai11/cryptopp/issues/277. The OSS announcement has not posted yet.
The short of it is, the Crypto++ library use GNU Make, and the makefile defines -DNDEBUG by default for release builds. Asserts, which are debugging and diagnostic aides (http://pubs.opengroup.org/onlinepubs/009695399/basedefs/assert.h.html), are removed from the library. Everything works as expected. The pointy end of the stick is, Autotools, CMake, Xcode, Eclipse, etc {usually|often} don't define -DNDEBUG by default and asserts could trigger. The assert calls SIGABRT, the core file holds sensitive information, and then the sensitive information is egressed to Apple CrashReporter, Ubuntu Apport, Windows Error Reporting, etc. To use Crypto++ 5.6.4 and below safely in production/release, the library must be built with -DNDEBUG . If a program includes Crypto++ headers, then the program must be built with -DNDEBUG . Crypto++ 5.6.5 will remediate this by enabling asserts when -DDEBUG is defined. If a user or distro omits -DNDEBUG, then the asserts will be off because -DDEBUG is not defined. Jeff ---------- Forwarded message ---------- From: Jeffrey Walton <[email protected]> Date: Thu, Sep 15, 2016 at 4:51 PM Subject: Does a documentation bug elevate to CVE status? To: [email protected] Hi Everyone, Please forgive my ignorance and hair splitting. We were talking with the Debian Security Team and FW alerted us to a gap in our documentation. The gap is simple: we handle sensitive information and did not tell users that they must define -DNDEBUG when using alternate build systems, like Autotools or CMake. The project's supported build system, [GNU] Make, adds the define. The higher level concern is assert is a debugging and diagnostic aide that eventually raises a SIGABRT. We use them for debugging and diagnostics for development. During production, the assert is expected to be removed with NDEBUG and a C++ throw() follows. If the assert is _not_ removed, then machinery could engage that egresses the sensitive information to the file system (core files and the like). On some platforms, like Ubuntu with Apport, Apple with CrashReporter, and Windows with Windows Error Reporting, the sensitive information is egressed to a third party (multiple; the platform provider and the developer). We know entities like Apple, Google, Microsoft and app developers receive the information; see for example, the comment at https://github.com/weidai11/cryptopp/pull/172#issuecomment-218705068. So my question is, does a documentation bug elevate to CVE status? Thanks in advance, Jeff -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
