[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#814269: marked as done (jessie-pu: package nettle/2.7.1-5)

Your message dated Sat, 02 Apr 2016 14:20:04 +0100
with message-id <1459603204.2441.216.camel@adam-barratt.org.uk>
and subject line Fix included in stable
has caused the Debian Bug report #814269,
regarding jessie-pu: package nettle/2.7.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
814269: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814269
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

OK to upload fix for https://bugs.debian.org/813679 (CVE-2015-8803 CVE-2015-8804 CVE-2015-8805), as
suggested by (a member of) the security team? (Security-related bugs but unlikely to be exploitable.)

-- 
Magnus Holmgren
Debian Developer

diff -Nru nettle-2.7.1/debian/changelog nettle-2.7.1/debian/changelog
--- nettle-2.7.1/debian/changelog       2015-01-11 20:27:22.000000000 +0100
+++ nettle-2.7.1/debian/changelog       2016-02-07 19:52:57.000000000 +0100
@@ -1,3 +1,9 @@
+nettle (2.7.1-5+deb8u1) stable; urgency=low
+
+  * Fix CVE-2015-8803, CVE-2015-8804, and CVE-2015-8805 (Closes: #813679).
+
+ -- Magnus Holmgren <holmgren@debian.org>  Sat, 06 Feb 2016 20:01:37 +0100
+
 nettle (2.7.1-5) unstable; urgency=medium
 
   * Add code to transition /usr/share/doc/nettle-dbg from directory to
diff -Nru nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch
--- nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch        1970-01-01 01:00:00.000000000 +0100
+++ nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch        2016-02-07 19:40:25.000000000 +0100
@@ -0,0 +1,27 @@
+From: Niels Möller <nisse@lysator.liu.se>
+Origin: upstream, https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
+Subject: CVE-2015-8803 and CVE-2015-8805: Miscomputation bugs in secp-256r1 modulo functions.
+
+--- a/ecc-256.c
++++ b/ecc-256.c
+@@ -108,7 +119,10 @@ ecc_256_modp (const struct ecc_curve *ec
+       u0 -= t;
+       t = (u1 < cy);
+       u1 -= cy;
+-      u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
++
++      cy = cnd_add_n (t, rp + n - 4, ecc->p, 2);
++      u0 += cy;
++      u1 += (u0 < cy);
+       u1 -= (-t) & 0xffffffff;
+     }
+   rp[2] = u0;
+@@ -195,7 +209,7 @@ ecc_256_modq (const struct ecc_curve *ec
+ 
+       /* Conditional add of p */
+       u1 += t;
+-      u2 += (t<<32) + (u0 < t);
++      u2 += (t<<32) + (u1 < t);
+ 
+       t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
+       u1 += t;
diff -Nru nettle-2.7.1/debian/patches/cve-2015-8804.patch nettle-2.7.1/debian/patches/cve-2015-8804.patch
--- nettle-2.7.1/debian/patches/cve-2015-8804.patch     1970-01-01 01:00:00.000000000 +0100
+++ nettle-2.7.1/debian/patches/cve-2015-8804.patch     2016-02-06 19:50:51.000000000 +0100
@@ -0,0 +1,252 @@
+Origin: upstream, https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
+From: Niels Möller <nisse@lysator.liu.se>
+Subject: CVE-2015-8804: Carry folding bug in x86_64 ecc_384_modp.
+
+--- a/x86_64/ecc-384-modp.asm
++++ b/x86_64/ecc-384-modp.asm
+@@ -20,7 +20,7 @@ C MA 02111-1301, USA.
+       .file "ecc-384-modp.asm"
+ 
+ define(<RP>, <%rsi>)
+-define(<D4>, <%rax>)
++define(<D5>, <%rax>)
+ define(<T0>, <%rbx>)
+ define(<T1>, <%rcx>)
+ define(<T2>, <%rdx>)
+@@ -35,8 +35,8 @@ define(<H4>, <%r13>)
+ define(<H5>, <%r14>)
+ define(<C2>, <%r15>)
+ define(<C0>, H5)      C Overlap
+-define(<D0>, RP)      C Overlap
+-define(<TMP>, H4)     C Overlap
++define(<TMP>, RP)     C Overlap
++
+ 
+ PROLOGUE(nettle_ecc_384_modp)
+       W64_ENTRY(2, 0)
+@@ -48,34 +48,38 @@ PROLOGUE(nettle_ecc_384_modp)
+       push    %r14
+       push    %r15
+ 
+-      C First get top 2 limbs, which need folding twice
++      C First get top 2 limbs, which need folding twice.
++      C B^10 = B^6 + B^4 + 2^32 (B-1)B^4.
++      C We handle the terms as follow:
+       C
+-      C   H5 H4
+-      C     -H5
+-      C  ------
+-      C   H0 D4
++      C B^6: Folded immediatly.
+       C
+-      C Then shift right, (H1,H0,D4)  <--  (H0,D4) << 32
+-      C and add
++      C B^4: Delayed, added in in the next folding.
+       C
+-      C     H5 H4
+-      C     H1 H0
+-      C ----------
+-      C  C2 H1 H0
+-
+-      mov     80(RP), D4
+-      mov     88(RP), H0
+-      mov     D4, H4
+-      mov     H0, H5
+-      sub     H0, D4
+-      sbb     $0, H0
+-
+-      mov     D4, T2
+-      mov     H0, H1
+-      shl     $32, H0
+-      shr     $32, T2
++      C 2^32(B-1) B^4: Low half limb delayed until the next
++      C folding. Top 1.5 limbs subtracted and shifter now, resulting
++      C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added
++      C in.
++
++      mov     80(RP), H4
++      mov     88(RP), H5
++      C Shift right 32 bits, into H1, H0
++      mov     H4, H0
++      mov     H5, H1
++      mov     H5, D5
+       shr     $32, H1
+-      or      T2, H0
++      shl     $32, D5
++      shr     $32, H0
++      or      D5, H0
++
++      C       H1 H0
++      C       -  H1 H0
++      C       --------
++      C       H1 H0 D5
++      mov     H0, D5
++      neg     D5
++      sbb     H1, H0
++      sbb     $0, H1
+ 
+       xor     C2, C2
+       add     H4, H0
+@@ -114,118 +118,95 @@ PROLOGUE(nettle_ecc_384_modp)
+       adc     H3, T5
+       adc     $0, C0
+ 
+-      C   H3 H2 H1 H0  0
+-      C - H4 H3 H2 H1 H0
+-      C  ---------------
+-      C   H3 H2 H1 H0 D0
+-
+-      mov     XREG(D4), XREG(D4)
+-      mov     H0, D0
+-      neg     D0
+-      sbb     H1, H0
+-      sbb     H2, H1
+-      sbb     H3, H2
+-      sbb     H4, H3
+-      sbb     $0, D4
+-
+-      C Shift right. High bits are sign, to be added to C0.
+-      mov     D4, TMP
+-      sar     $32, TMP
+-      shl     $32, D4
+-      add     TMP, C0
+-
++      C Shift left, including low half of H4
+       mov     H3, TMP
++      shl     $32, H4
+       shr     $32, TMP
+-      shl     $32, H3
+-      or      TMP, D4
++      or      TMP, H4
+ 
+       mov     H2, TMP
++      shl     $32, H3
+       shr     $32, TMP
+-      shl     $32, H2
+       or      TMP, H3
+ 
+       mov     H1, TMP
++      shl     $32, H2
+       shr     $32, TMP
+-      shl     $32, H1
+       or      TMP, H2
+ 
+       mov     H0, TMP
++      shl     $32, H1
+       shr     $32, TMP
+-      shl     $32, H0
+       or      TMP, H1
+ 
+-      mov     D0, TMP
+-      shr     $32, TMP
+-      shl     $32, D0
+-      or      TMP, H0
++      shl     $32, H0
++
++      C   H4 H3 H2 H1 H0  0
++      C  -   H4 H3 H2 H1 H0
++      C  ---------------
++      C   H4 H3 H2 H1 H0 TMP
+ 
+-      add     D0, T0
++      mov     H0, TMP
++      neg     TMP
++      sbb     H1, H0
++      sbb     H2, H1
++      sbb     H3, H2
++      sbb     H4, H3
++      sbb     $0, H4
++
++      add     TMP, T0
+       adc     H0, T1
+       adc     H1, T2
+       adc     H2, T3
+       adc     H3, T4
+-      adc     D4, T5
++      adc     H4, T5
+       adc     $0, C0
+ 
+       C Remains to add in C2 and C0
+-      C                         C0  C0<<32  (-2^32+1)C0
+-      C    C2  C2<<32  (-2^32+1)C2
+-      C where C2 is always positive, while C0 may be -1.
++      C Set H1, H0 = (2^96 - 2^32 + 1) C0
+       mov     C0, H0
+       mov     C0, H1
+-      mov     C0, H2
+-      sar     $63, C0         C Get sign
+       shl     $32, H1
+-      sub     H1, H0          C Gives borrow iff C0 > 0
++      sub     H1, H0
+       sbb     $0, H1
+-      add     C0, H2
+ 
++      C Set H3, H2 = (2^96 - 2^32 + 1) C2
++      mov     C2, H2
++      mov     C2, H3
++      shl     $32, H3
++      sub     H3, H2
++      sbb     $0, H3
++      add     C0, H2          C No carry. Could use lea trick
++
++      xor     C0, C0
+       add     H0, T0
+       adc     H1, T1
+-      adc     $0, H2
+-      adc     $0, C0
+-
+-      C Set (H1 H0)  <-- C2 << 96 - C2 << 32 + 1
+-      mov     C2, H0
+-      mov     C2, H1
+-      shl     $32, H1
+-      sub     H1, H0
+-      sbb     $0, H1
+-
+-      add     H2, H0
+-      adc     C0, H1
+-      adc     C2, C0
+-      mov     C0, H2
+-      sar     $63, C0
+-      add     H0, T2
+-      adc     H1, T3
+-      adc     H2, T4
+-      adc     C0, T5
+-      sbb     C0, C0
++      adc     H2, T2
++      adc     H3, T3
++      adc     C2, T4
++      adc     D5, T5          C Value delayed from initial folding
++      adc     $0, C0          C Use sbb and switch sign?
+ 
+       C Final unlikely carry
+       mov     C0, H0
+       mov     C0, H1
+-      mov     C0, H2
+-      sar     $63, C0
+       shl     $32, H1
+       sub     H1, H0
+       sbb     $0, H1
+-      add     C0, H2
+ 
+       pop     RP
+ 
+-      sub     H0, T0
++      add     H0, T0
+       mov     T0, (RP)
+-      sbb     H1, T1
++      adc     H1, T1
+       mov     T1, 8(RP)
+-      sbb     H2, T2
++      adc     C0, T2
+       mov     T2, 16(RP)
+-      sbb     C0, T3
++      adc     $0, T3
+       mov     T3, 24(RP)
+-      sbb     C0, T4
++      adc     $0, T4
+       mov     T4, 32(RP)
+-      sbb     C0, T5
++      adc     $0, T5
+       mov     T5, 40(RP)
+ 
+       pop     %r15
diff -Nru nettle-2.7.1/debian/patches/series nettle-2.7.1/debian/patches/series
--- nettle-2.7.1/debian/patches/series  2014-07-30 08:14:39.000000000 +0200
+++ nettle-2.7.1/debian/patches/series  2016-02-06 19:26:59.000000000 +0100
@@ -1 +1,3 @@
 fPIC.patch
+cve-2015-8803_8805.patch
+cve-2015-8804.patch

--- End Message ---
--- Begin Message --- 
Version: 8.4

Hi,

The packages referenced by these bugs were included in today's stable
point release.

Regards,

Adam

--- End Message ---
Reply to: