CVE-2023-1672

NameCVE-2023-1672
DescriptionA race condition exists in the Tang server functionality for key generation and key rotation. This flaw results in a small time window where Tang private keys become readable by other processes on the same host.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3648-1
Debian Bugs1038119

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tang (PTS)buster7-1+deb10u1vulnerable
buster (security)7-1+deb10u2fixed
bullseye8-3+deb11u2fixed
bullseye (security)8-3+deb11u1vulnerable
bookworm11-2+deb12u1fixed
sid, trixie15-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tangsourcebuster7-1+deb10u2DLA-3648-1
tangsourcebullseye8-3+deb11u2
tangsourcebookworm11-2+deb12u1
tangsource(unstable)14-11038119

Notes

Fixed by: https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
https://census-labs.com/news/2023/06/15/race-tang/

Search for package or bug name: Reporting problems