Bug#843268: jessie-pu: package nettle/2.7.1-5+deb8u2

[Magnus Holmgren <holmgren@debian.org>]

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal
X-Debbugs-Cc: ametzler@bebt.de, carnil@debian.org

Hello Stable Release Managers,

Here is a debdiff for a proposed upload to address CVE-2016-6489 ("RSA code is 
vulnerable to cache sharing related attacks") in jessie, which the Security 
Team thinks should be done but which doesn't warrant a DSA.

I added a Breaks: libgnutls-deb0-28 (<< 3.3.8-6+deb8u4) to libhogweed2 to 
ensure that libgnutls is upgraded first in order to prevent crashes that could 
in theory occur if nettle_rsa_private_key_prepare() isn't called to check that 
the private key is valid (see https://bugs.debian.org/840191). The latest 
Nettle library includes extra safety checks to work with incorrect callers but 
those can't be backported so easily.

-- 
Magnus Holmgren        holmgren@debian.org
Debian Developer

diff -Nru nettle-2.7.1/debian/changelog nettle-2.7.1/debian/changelog
--- nettle-2.7.1/debian/changelog	2016-02-07 19:52:57.000000000 +0100
+++ nettle-2.7.1/debian/changelog	2016-11-05 17:37:13.000000000 +0100
@@ -1,8 +1,17 @@
+nettle (2.7.1-5+deb8u2) stable; urgency=medium
+
+  * [SECURITY] cve-2016-6489.patch: Protect against potential side-channel
+    attacks against exponentiation operations as described in
+    CVE-2016-6489 "RSA code is vulnerable to cache sharing related
+    attacks" (Closes: #832983).
+
+ -- Magnus Holmgren <holmgren@debian.org>  Sat, 05 Nov 2016 17:37:13 +0100
+
 nettle (2.7.1-5+deb8u1) stable; urgency=low
 
   * Fix CVE-2015-8803, CVE-2015-8804, and CVE-2015-8805 (Closes: #813679).
 
- -- Magnus Holmgren <holmgren@debian.org>  Sat, 06 Feb 2016 20:01:37 +0100
+ -- Magnus Holmgren <holmgren@debian.org>  Tue, 09 Feb 2016 20:57:42 +0100
 
 nettle (2.7.1-5) unstable; urgency=medium
 
diff -Nru nettle-2.7.1/debian/control nettle-2.7.1/debian/control
--- nettle-2.7.1/debian/control	2015-01-11 20:27:22.000000000 +0100
+++ nettle-2.7.1/debian/control	2016-11-05 17:36:28.000000000 +0100
@@ -36,6 +36,7 @@
 Multi-Arch: same
 Pre-Depends: ${misc:Pre-Depends}
 Depends: ${shlibs:Depends}, ${misc:Depends}
+Breaks: libgnutls-deb0-28 (<< 3.3.8-6+deb8u4)
 Description: low level cryptographic library (public-key cryptos)
  Nettle is a cryptographic library that is designed to fit easily in more or
  less any context: In crypto toolkits for object-oriented languages (C++,
diff -Nru nettle-2.7.1/debian/patches/cve-2016-6489.patch nettle-2.7.1/debian/patches/cve-2016-6489.patch
--- nettle-2.7.1/debian/patches/cve-2016-6489.patch	1970-01-01 01:00:00.000000000 +0100
+++ nettle-2.7.1/debian/patches/cve-2016-6489.patch	2016-08-04 20:05:32.000000000 +0200
@@ -0,0 +1,87 @@
+Description: Protect against side-channel attacks against exponentiation operations 
+ See https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html
+Bug-Debian: https://bugs.debian.org/832983
+
+--- a/dsa-sign.c
++++ b/dsa-sign.c
+@@ -47,6 +47,11 @@ _dsa_sign(const struct dsa_public_key *p
+   mpz_t h;
+   mpz_t tmp;
+ 
++  /* Check that p is odd, so that invalid keys don't result in a crash
++     inside mpz_powm_sec. */
++  if (mpz_even_p (pub->p))
++    return 0;
++
+   /* Require precise match of bitsize of q and hash size. The general
+      description of DSA in FIPS186-3 allows both larger and smaller q;
+      in the the latter case, the hash must be truncated to the right
+@@ -63,7 +68,7 @@ _dsa_sign(const struct dsa_public_key *p
+   mpz_add_ui(k, k, 1);
+ 
+   /* Compute r = (g^k (mod p)) (mod q) */
+-  mpz_powm(tmp, pub->g, k, pub->p);
++  mpz_powm_sec(tmp, pub->g, k, pub->p);
+   mpz_fdiv_r(signature->r, tmp, pub->q);
+ 
+   /* Compute hash */
+--- a/rsa-blind.c
++++ b/rsa-blind.c
+@@ -53,7 +53,7 @@ _rsa_blind (const struct rsa_public_key
+   while (!mpz_invert (ri, r, pub->n));
+ 
+   /* c = c*(r^e) mod n */
+-  mpz_powm(r, r, pub->e, pub->n);
++  mpz_powm_sec(r, r, pub->e, pub->n);
+   mpz_mul(c, c, r);
+   mpz_fdiv_r(c, c, pub->n);
+ 
+--- a/rsa-sign.c
++++ b/rsa-sign.c
+@@ -88,11 +88,11 @@ rsa_compute_root(const struct rsa_privat
+ 
+   /* Compute xq = m^d % q = (m%q)^b % q */
+   mpz_fdiv_r(xq, m, key->q);
+-  mpz_powm(xq, xq, key->b, key->q);
++  mpz_powm_sec(xq, xq, key->b, key->q);
+ 
+   /* Compute xp = m^d % p = (m%p)^a % p */
+   mpz_fdiv_r(xp, m, key->p);
+-  mpz_powm(xp, xp, key->a, key->p);
++  mpz_powm_sec(xp, xp, key->a, key->p);
+ 
+   /* Set xp' = (xp - xq) c % p. */
+   mpz_sub(xp, xp, xq);
+--- a/rsa.c
++++ b/rsa.c
+@@ -56,7 +56,13 @@ unsigned
+ _rsa_check_size(mpz_t n)
+ {
+   /* Round upwards */
+-  unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;
++  unsigned size;
++
++  /* Even moduli are invalid, and not supported by mpz_powm_sec. */
++  if (mpz_even_p (n))
++    return 0;
++
++  size = (mpz_sizeinbase(n, 2) + 7) / 8;
+ 
+   if (size < RSA_MINIMUM_N_OCTETS)
+     return 0;
+--- a/testsuite/rsa-test.c
++++ b/testsuite/rsa-test.c
+@@ -57,6 +57,13 @@ test_main(void)
+ 
+   test_rsa_sha512(&pub, &key, expected);
+ 
++  /* Test detection of invalid keys with even modulo */
++  mpz_clrbit (pub.n, 0);
++  ASSERT (!rsa_public_key_prepare (&pub));
++
++  mpz_clrbit (key.p, 0);
++  ASSERT (!rsa_private_key_prepare (&key));
++
+   /* 777-bit key, generated by
+    *
+    *   lsh-keygen -a rsa -l 777 -f advanced-hex
diff -Nru nettle-2.7.1/debian/patches/series nettle-2.7.1/debian/patches/series
--- nettle-2.7.1/debian/patches/series	2016-02-06 19:26:59.000000000 +0100
+++ nettle-2.7.1/debian/patches/series	2016-10-30 22:15:09.000000000 +0100
@@ -1,3 +1,4 @@
 fPIC.patch
 cve-2015-8803_8805.patch
 cve-2015-8804.patch
+cve-2016-6489.patch

Attachment: signature.asc
Description: This is a digitally signed message part.