Bug#821835: jessie-pu: package libcrypto++/5.6.1-6+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Release Team,
There's a vulnerability in Crypto++, the C++ class library of
cryptographic schemes.
It's CVE-2016-3995, bogus protection from timing attacks in AES
(Rijndael) cipher. GCC could optimize the protection out. The patch
(already in Sid + Stretch) prevents this. It's minor for a security
update, but can be enough for a normal package update.
Thanks for consideration,
Laszlo/GCS
diff -Nru libcrypto++-5.6.1/debian/changelog libcrypto++-5.6.1/debian/changelog
--- libcrypto++-5.6.1/debian/changelog 2015-06-28 13:41:08.000000000 +0000
+++ libcrypto++-5.6.1/debian/changelog 2016-04-11 16:16:44.000000000 +0000
@@ -1,3 +1,9 @@
+libcrypto++ (5.6.1-6+deb8u2) jessie; urgency=medium
+
+ * Fix CVE-2016-3995, Rijndael timing attack counter measure.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 11 Apr 2016 16:13:56 +0000
+
libcrypto++ (5.6.1-6+deb8u1) jessie-security; urgency=high
* Fix CVE-2015-2141, misuse of blinding technique that is aimed at
diff -Nru libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch
--- libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch 1970-01-01 00:00:00.000000000 +0000
+++ libcrypto++-5.6.1/debian/patches/CVE-2016-3995.patch 2016-04-16 11:42:14.000000000 +0000
@@ -0,0 +1,52 @@
+From 9f335d719ebc27f58251559240de0077ec42c583 Mon Sep 17 00:00:00 2001
+From: Pierre Lestringant <plt@amossys.fr>
+Date: Wed, 6 Apr 2016 15:51:17 +0200
+Subject: [PATCH] Fix the Rijndael timing attack counter measure
+
+---
+ rijndael.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/rijndael.cpp b/rijndael.cpp
+index f394960..92f9dea 100644
+--- a/rijndael.cpp
++++ b/rijndael.cpp
+@@ -372,10 +372,12 @@ void Rijndael::Enc::ProcessAndXorBlock(c
+ t3 = rk[7];
+ rk += 8;
+
+- // timing attack countermeasure. see comments at top for more details
++ // timing attack countermeasure. see comments at top for more details.
++ // also see http://github.com/weidai11/cryptopp/issues/146
+ const int cacheLineSize = GetCacheLineSize();
+ unsigned int i;
+- word32 u = 0;
++ volatile word32 _u = 0;
++ word32 u = _u;
+ #ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS
+ for (i=0; i<2048; i+=cacheLineSize)
+ #else
+@@ -448,10 +450,12 @@ void Rijndael::Dec::ProcessAndXorBlock(c
+ t3 = rk[7];
+ rk += 8;
+
+- // timing attack countermeasure. see comments at top for more details
++ // timing attack countermeasure. see comments at top for more details.
++ // also see http://github.com/weidai11/cryptopp/issues/146
+ const int cacheLineSize = GetCacheLineSize();
+ unsigned int i;
+- word32 u = 0;
++ volatile word32 _u = 0;
++ word32 u = _u;
+ #ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS
+ for (i=0; i<2048; i+=cacheLineSize)
+ #else
+@@ -491,7 +495,7 @@ void Rijndael::Dec::ProcessAndXorBlock(c
+ // timing attack countermeasure. see comments at top for more details
+ // If CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS is defined,
+ // QUARTER_ROUND_LD will use Td, which is already preloaded.
+- u = 0;
++ u = _u;
+ for (i=0; i<256; i+=cacheLineSize)
+ u &= *(const word32 *)(Sd+i);
+ u &= *(const word32 *)(Sd+252);
diff -Nru libcrypto++-5.6.1/debian/patches/series libcrypto++-5.6.1/debian/patches/series
--- libcrypto++-5.6.1/debian/patches/series 2015-06-28 13:37:49.000000000 +0000
+++ libcrypto++-5.6.1/debian/patches/series 2016-04-11 16:25:58.000000000 +0000
@@ -7,3 +7,4 @@
salsa.patch
gcc-4.7-ftbfs.diff
CVE-2015-2141.patch
+CVE-2016-3995.patch
Reply to: