CVE-2024-50383

Name
CVE-2024-50383
Description
Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
https://github.com/randombit/botan/compare/3.5.0...3.6.0
https://arxiv.org/pdf/2410.13489
https://news.ycombinator.com/item?id=41887153

Match rules

CPE URI Source package Min version Max version
n/a == n/a == n/a
cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:* botan >= 0 < 3.6.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
botan edge-main 2.19.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.20-main 2.19.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.19-main 2.19.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.18-main 2.19.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
botan 3.17-main 2.19.5-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable