CVE-2016-7420
Publication date 16 September 2016
Last updated 25 August 2025
Ubuntu priority
Description
Crypto++ (aka cryptopp) through 5.6.4 does not document the requirement for a compile-time NDEBUG definition disabling the many assert calls that are unintended in production use, which might allow context-dependent attackers to obtain sensitive information by leveraging access to process memory after an assertion failure, as demonstrated by reading a core dump.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libcrypto++ | 18.04 LTS bionic | Ignored compiled with -NDEBUG |
| 16.04 LTS xenial | Ignored compiled with -NDEBUG | |
| 14.04 LTS trusty | Ignored compiled with -NDEBUG | |
Notes
ratliff
precise, trusty, xenial, yakkety all build using -NDEBUG
msalvatore
I'm retiring this CVE and marking each release as "ignored". I've confirmed ratliff's above comment. In addition, the fix for this CVE is simply an update to the documentation.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.9 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |