Package: libcrypto++8
Version: 5.6.0-2
Severity: important

The version of libcrypto++ 5.6.0 shipped by Debian includes a bug in
the 32-bit x86 assembly code for sha256.  Address checks (current
pointer vs end-of-message pointer as we process the input block by
block) are done with signed-arithmetic tests, so address 0x80000000 is
"less than" address 0x7fffffff.  This causes incorrect termination of
the loop over the blocks of the message if address 0x80000000 is part
of the message (as can happen on large-memory systems if your process
uses a lot of memory, and especially if you're hashing 2G messages as
in a test program of mine), and results in incorrect hash values.

This has already been reported and fixed, but not released, upstream.

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (1001, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-permabit1-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libcrypto++8 depends on:
ii  libc6                       2.7-18lenny2 GNU C Library: Shared libraries
ii  libgcc1                     1:4.3.2-1.1  GCC support library
ii  libstdc++6                  4.3.2-1.1    The GNU Standard C++ Library v3

libcrypto++8 recommends no packages.

libcrypto++8 suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to