Package: libcrypto++8 Version: 5.6.0-2 Severity: important
The version of libcrypto++ 5.6.0 shipped by Debian includes a bug in the 32-bit x86 assembly code for sha256. Address checks (current pointer vs end-of-message pointer as we process the input block by block) are done with signed-arithmetic tests, so address 0x80000000 is "less than" address 0x7fffffff. This causes incorrect termination of the loop over the blocks of the message if address 0x80000000 is part of the message (as can happen on large-memory systems if your process uses a lot of memory, and especially if you're hashing 2G messages as in a test program of mine), and results in incorrect hash values. This has already been reported and fixed, but not released, upstream. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (1001, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-3-permabit1-686-bigmem (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libcrypto++8 depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libgcc1 1:4.3.2-1.1 GCC support library ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3 libcrypto++8 recommends no packages. libcrypto++8 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
