Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow. Net::Dropbear embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.

• https://github.com/advisories/GHSA-j3xv-6967-cv88
• https://github.com/libtom/libtommath/pull/546
• https://metacpan.org/release/ATRODO/Net-Dropbear-0.16/source/dropbear/libtommath/bn_mp_grow.c
• https://www.cve.org/CVERecord?id=CVE-2023-36328

scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.

• https://metacpan.org/release/ATRODO/Net-Dropbear-0.15/changes
• https://github.com/mkj/dropbear/commit/8f8a3dff705fad774a10864a2e3dbcfa9779ceff

In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.

• https://github.com/libtom/libtomcrypt/pull/508
• https://github.com/libtom/libtomcrypt/issues/507
• https://vuldb.com/?id.142995
• https://lists.debian.org/debian-lts-announce/2019/10/msg00010.html
• http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00020.html
• http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00041.html