DEBIAN-CVE-2019-11873

Source
https://security-tracker.debian.org/tracker/CVE-2019-11873
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-11873.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2019-11873
Upstream
Published
2019-05-23T13:29:07Z
Modified
2025-09-19T06:06:49Z
Summary
[none]
Details

wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, total extensions length, PSK extension length, total identity length, and identity length contain their maximum value which is 2^16. The identity data field of the PSK extension of the packet contains the attack data, to be stored in the undefined memory (RAM) of the server. The size of the data is about 65 kB. Possibly the attacker can perform a remote code execution attack.

References

Affected packages

Debian:11 / wolfssl

Package

Name
wolfssl
Purl
pkg:deb/debian/wolfssl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / wolfssl

Package

Name
wolfssl
Purl
pkg:deb/debian/wolfssl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / wolfssl

Package

Name
wolfssl
Purl
pkg:deb/debian/wolfssl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / wolfssl

Package

Name
wolfssl
Purl
pkg:deb/debian/wolfssl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.0+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}