[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#843268: marked as done (jessie-pu: package nettle/2.7.1-5+deb8u2)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #843268,
regarding jessie-pu: package nettle/2.7.1-5+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
843268: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843268
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal
X-Debbugs-Cc: ametzler@bebt.de, carnil@debian.org

Hello Stable Release Managers,

Here is a debdiff for a proposed upload to address CVE-2016-6489 ("RSA code is 
vulnerable to cache sharing related attacks") in jessie, which the Security 
Team thinks should be done but which doesn't warrant a DSA.

I added a Breaks: libgnutls-deb0-28 (<< 3.3.8-6+deb8u4) to libhogweed2 to 
ensure that libgnutls is upgraded first in order to prevent crashes that could 
in theory occur if nettle_rsa_private_key_prepare() isn't called to check that 
the private key is valid (see https://bugs.debian.org/840191). The latest 
Nettle library includes extra safety checks to work with incorrect callers but 
those can't be backported so easily.

-- 
Magnus Holmgren        holmgren@debian.org
Debian Developer 
diff -Nru nettle-2.7.1/debian/changelog nettle-2.7.1/debian/changelog
--- nettle-2.7.1/debian/changelog	2016-02-07 19:52:57.000000000 +0100
+++ nettle-2.7.1/debian/changelog	2016-11-05 17:37:13.000000000 +0100
@@ -1,8 +1,17 @@
+nettle (2.7.1-5+deb8u2) stable; urgency=medium
+
+  * [SECURITY] cve-2016-6489.patch: Protect against potential side-channel
+    attacks against exponentiation operations as described in
+    CVE-2016-6489 "RSA code is vulnerable to cache sharing related
+    attacks" (Closes: #832983).
+
+ -- Magnus Holmgren <holmgren@debian.org>  Sat, 05 Nov 2016 17:37:13 +0100
+
 nettle (2.7.1-5+deb8u1) stable; urgency=low
 
   * Fix CVE-2015-8803, CVE-2015-8804, and CVE-2015-8805 (Closes: #813679).
 
- -- Magnus Holmgren <holmgren@debian.org>  Sat, 06 Feb 2016 20:01:37 +0100
+ -- Magnus Holmgren <holmgren@debian.org>  Tue, 09 Feb 2016 20:57:42 +0100
 
 nettle (2.7.1-5) unstable; urgency=medium
 
diff -Nru nettle-2.7.1/debian/control nettle-2.7.1/debian/control
--- nettle-2.7.1/debian/control	2015-01-11 20:27:22.000000000 +0100
+++ nettle-2.7.1/debian/control	2016-11-05 17:36:28.000000000 +0100
@@ -36,6 +36,7 @@
 Multi-Arch: same
 Pre-Depends: ${misc:Pre-Depends}
 Depends: ${shlibs:Depends}, ${misc:Depends}
+Breaks: libgnutls-deb0-28 (<< 3.3.8-6+deb8u4)
 Description: low level cryptographic library (public-key cryptos)
  Nettle is a cryptographic library that is designed to fit easily in more or
  less any context: In crypto toolkits for object-oriented languages (C++,
diff -Nru nettle-2.7.1/debian/patches/cve-2016-6489.patch nettle-2.7.1/debian/patches/cve-2016-6489.patch
--- nettle-2.7.1/debian/patches/cve-2016-6489.patch	1970-01-01 01:00:00.000000000 +0100
+++ nettle-2.7.1/debian/patches/cve-2016-6489.patch	2016-08-04 20:05:32.000000000 +0200
@@ -0,0 +1,87 @@
+Description: Protect against side-channel attacks against exponentiation operations 
+ See https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html
+Bug-Debian: https://bugs.debian.org/832983
+
+--- a/dsa-sign.c
++++ b/dsa-sign.c
+@@ -47,6 +47,11 @@ _dsa_sign(const struct dsa_public_key *p
+   mpz_t h;
+   mpz_t tmp;
+ 
++  /* Check that p is odd, so that invalid keys don't result in a crash
++     inside mpz_powm_sec. */
++  if (mpz_even_p (pub->p))
++    return 0;
++
+   /* Require precise match of bitsize of q and hash size. The general
+      description of DSA in FIPS186-3 allows both larger and smaller q;
+      in the the latter case, the hash must be truncated to the right
+@@ -63,7 +68,7 @@ _dsa_sign(const struct dsa_public_key *p
+   mpz_add_ui(k, k, 1);
+ 
+   /* Compute r = (g^k (mod p)) (mod q) */
+-  mpz_powm(tmp, pub->g, k, pub->p);
++  mpz_powm_sec(tmp, pub->g, k, pub->p);
+   mpz_fdiv_r(signature->r, tmp, pub->q);
+ 
+   /* Compute hash */
+--- a/rsa-blind.c
++++ b/rsa-blind.c
+@@ -53,7 +53,7 @@ _rsa_blind (const struct rsa_public_key
+   while (!mpz_invert (ri, r, pub->n));
+ 
+   /* c = c*(r^e) mod n */
+-  mpz_powm(r, r, pub->e, pub->n);
++  mpz_powm_sec(r, r, pub->e, pub->n);
+   mpz_mul(c, c, r);
+   mpz_fdiv_r(c, c, pub->n);
+ 
+--- a/rsa-sign.c
++++ b/rsa-sign.c
+@@ -88,11 +88,11 @@ rsa_compute_root(const struct rsa_privat
+ 
+   /* Compute xq = m^d % q = (m%q)^b % q */
+   mpz_fdiv_r(xq, m, key->q);
+-  mpz_powm(xq, xq, key->b, key->q);
++  mpz_powm_sec(xq, xq, key->b, key->q);
+ 
+   /* Compute xp = m^d % p = (m%p)^a % p */
+   mpz_fdiv_r(xp, m, key->p);
+-  mpz_powm(xp, xp, key->a, key->p);
++  mpz_powm_sec(xp, xp, key->a, key->p);
+ 
+   /* Set xp' = (xp - xq) c % p. */
+   mpz_sub(xp, xp, xq);
+--- a/rsa.c
++++ b/rsa.c
+@@ -56,7 +56,13 @@ unsigned
+ _rsa_check_size(mpz_t n)
+ {
+   /* Round upwards */
+-  unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;
++  unsigned size;
++
++  /* Even moduli are invalid, and not supported by mpz_powm_sec. */
++  if (mpz_even_p (n))
++    return 0;
++
++  size = (mpz_sizeinbase(n, 2) + 7) / 8;
+ 
+   if (size < RSA_MINIMUM_N_OCTETS)
+     return 0;
+--- a/testsuite/rsa-test.c
++++ b/testsuite/rsa-test.c
+@@ -57,6 +57,13 @@ test_main(void)
+ 
+   test_rsa_sha512(&pub, &key, expected);
+ 
++  /* Test detection of invalid keys with even modulo */
++  mpz_clrbit (pub.n, 0);
++  ASSERT (!rsa_public_key_prepare (&pub));
++
++  mpz_clrbit (key.p, 0);
++  ASSERT (!rsa_private_key_prepare (&key));
++
+   /* 777-bit key, generated by
+    *
+    *   lsh-keygen -a rsa -l 777 -f advanced-hex
diff -Nru nettle-2.7.1/debian/patches/series nettle-2.7.1/debian/patches/series
--- nettle-2.7.1/debian/patches/series	2016-02-06 19:26:59.000000000 +0100
+++ nettle-2.7.1/debian/patches/series	2016-10-30 22:15:09.000000000 +0100
@@ -1,3 +1,4 @@
 fPIC.patch
 cve-2015-8803_8805.patch
 cve-2015-8804.patch
+cve-2016-6489.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: