GNU bug report logs

#31831 CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Leo Famulari <leo@famulari.name>
Date 2018-06-14T19:24:02
Severity normal
Tags security
Done Leo Famulari <leo@famulari.name>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Thu, 14 Jun 2018 19:24:02 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Thu, 14 Jun 2018 19:24:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Recently a new side-channel key extraction technique was published as
CVE-2018-0495, and it affects a lot of the cryptographic libraries we
package:

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/?style=Cyber+Security

An excerpt from that advisory:

------
We analyzed the source code of several open source cryptographic
libraries to see if they contain the vulnerable code pattern in the code
for ECDSA, DSA, or both. This list is accurate to the best of our
knowledge, but it is not exhaustive. Only the first group was affected
by this finding; the other three groups are not thought to be
vulnerable.

Contains vulnerable pattern: CryptLib (Both), LibreSSL (Both), Mozilla
NSS (Both), Botan (ECDSA), OpenSSL (ECDSA), WolfCrypt (ECDSA), Libgcrypt
(ECDSA), LibTomCrypt (ECDSA), LibSunEC (ECDSA), MatrixSSL (ECDSA),
BoringSSL (DSA)

Non-constant math, but different pattern: BouncyCastle, Crypto++, Golang
crypto/tls, C#/Mono, mbedTLS, Trezor Crypto, Nettle (DSA)

Constant time-math: Nettle (ECDSA), BearSSL, Libsecp256k1

Does not implement either: NaCl
------

Note that libtomcrypt is bundled in the Dropbear SSH implementation.

I'm going to test the libgcrypt update now.

I'd like for other Guix hackers to "claim" an affected package in this
thread, and then investigate and test the fixes. Please make new debbugs
tickets on guix-patches for each bug-fix patch you propose, and send the
links to those tickets here.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Thu, 14 Jun 2018 19:51:02 GMT) (full text, mbox, link).

Message #8 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!

I'll try OpenSSL next.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Thu, 14 Jun 2018 19:54:02 GMT) (full text, mbox, link).

Message #11 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:

> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>
> I'll try OpenSSL next.
>

I'll try libressl.

[Message part 2 (text/html, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Thu, 14 Jun 2018 20:07:01 GMT) (full text, mbox, link).

Message #14 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:
> > I'll try OpenSSL next.

They committed a fix but haven't released an update yet:

https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09

There is also an unrelated security advisory for a DoS bug from 2 days
ago:

https://www.openssl.org/news/secadv/20180612.txt

I'll try grafting these patches.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Thu, 14 Jun 2018 20:45:02 GMT) (full text, mbox, link).

Message #17 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

2018-06-14 21:53 GMT+02:00 Gábor Boskovits <boskovits@gmail.com>:

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:
>
>> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>>
>> I'll try OpenSSL next.
>>
>
> I'll try libressl.
>
Here it is: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832>

[Message part 2 (text/html, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Thu, 14 Jun 2018 20:46:02 GMT) (full text, mbox, link).

Message #20 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

I sent patches for both branches of OpenSSL:

version 1.0.2:

<https://bugs.gnu.org/31834>

version 1.1.0:

<https://bugs.gnu.org/31833>

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Mon, 18 Jun 2018 16:36:02 GMT) (full text, mbox, link).

Message #23 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

Patched pushed for both OpenSSL branches, closing bugs 31833 and 31834.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from ludo@gnu.org (Ludovic Courtès) to control@debbugs.gnu.org. (Wed, 27 Jun 2018 20:52:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Mon, 16 Jul 2018 06:22:02 GMT) (full text, mbox, link).

Message #28 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Mon, 16 Jul 2018 06:55:01 GMT) (full text, mbox, link).

Message #31 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Leo Famulari <leo@famulari.name> ezt írta (időpont: 2018. júl. 16., H 8:22):

> Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.
>
Are there any more packages needing attention?

[Message part 2 (text/html, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Mon, 16 Jul 2018 17:15:01 GMT) (full text, mbox, link).

Message #34 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Jul 16, 2018 at 08:53:56AM +0200, Gábor Boskovits wrote:
> Are there any more packages needing attention?

libtomcrypt version 1.18.2 includes a fix; we would need to adapt this
to the bundled copy in Dropbear. I can take a look at this today.

NSS was fixed in Guix commit 7c3bea7e6299e1026c7964c83986a6b6c220879a by
Marius. Thanks, Marius!

The advisory mentions similar but not indentical issues in these
packages:

There is a new release of Crypto++ available. I'm not sure if this
addresses whatever issue was mentioned in the original advisory.

mbedTLS's changelog doesn't mention anything related to key extraction
side channels.

I don't see any related commits in Go's crypto/tls Git repo.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#31831; Package guix. (Mon, 16 Jul 2018 17:40:02 GMT) (full text, mbox, link).

Message #37 received at 31831@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> libtomcrypt version 1.18.2 includes a fix; we would need to adapt this
> to the bundled copy in Dropbear. I can take a look at this today.

Dropbear's bundled libtomcrypt includes a variety of whitespace and
comment changes that make it non-trivial to compare the actual
differences between the codebases.

I'm not going to work on adapting the upstream patch for Dropbear, but
of course others are welcome to do it :) Otherwise I assume the Dropbear
team will include the fixes whenever they make a new release.

[signature.asc (application/pgp-signature, inline)]

Reply sent to Leo Famulari <leo@famulari.name>:
You have taken responsibility. (Tue, 26 Feb 2019 02:02:02 GMT) (full text, mbox, link).

Notification sent to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer. (Tue, 26 Feb 2019 02:02:02 GMT) (full text, mbox, link).

Message #42 received at 31831-done@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> There is a new release of Crypto++ available. I'm not sure if this
> addresses whatever issue was mentioned in the original advisory.

Crypto++ was updated to 8.0.0 in January 2019.

https://www.cryptopp.com/release800.html

> mbedTLS's changelog doesn't mention anything related to key extraction
> side channels.

mbedTLS has been updated several times since this bug was opened, and is
currently at 2.16.0.

https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog

Neither of those upstreams have mentioned CVE-2018-0495, as far as I can
tell. The original advisory said they do not use the vulnerable pattern,
but do use "non-constant math, but different pattern".

Overall, I don't think there is anything left for us to do as a distro
in response to CVE-2018-0495, so I am closing this bug.

[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 26 Mar 2019 11:24:06 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 13:17:53 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.