DescriptionThe rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs837042

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libtomcrypt (PTS)stretch1.17-9fixed
bookworm, sid, bullseye1.18.2-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[jessie] - libtomcrypt <no-dsa> (Minor issue)
libtomcrypt ship the corresponding patch in
The CVE is originally assigend to OP-TEE, but the underlying issue seems to be in
libtomcrypt, thus keep that source package as well for now associated.

Search for package or bug name: Reporting problems