CVE-2021-43398

NameCVE-2021-43398
DescriptionCrypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs1000227

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcrypto++ (PTS)stretch5.6.4-7vulnerable
buster5.6.4-8vulnerable
bullseye8.4.0-1vulnerable
bookworm, sid8.6.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcrypto++source(unstable)(unfixed)1000227

Notes

[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
[stretch] - libcrypto++ <no-dsa> (Minor issue)
https://github.com/weidai11/cryptopp/issues/1080

Search for package or bug name: Reporting problems