#47222 - Serious bug in Nettle's ecdsa_verify

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #18 received at 47222@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 16:21:45 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 12:21:45 2021
Received: from localhost ([127.0.0.1]:39423 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lPSjx-00049T-Ck
	for submit@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:45 -0400
Received: from mail.lysator.liu.se ([130.236.254.3]:53475)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nisse@lysator.liu.se>) id 1lPSjv-00049K-9W
 for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:43 -0400
Received: from mail.lysator.liu.se (localhost [127.0.0.1])
 by mail.lysator.liu.se (Postfix) with ESMTP id 9EC6040008;
 Thu, 25 Mar 2021 17:21:41 +0100 (CET)
Received: from slartibartfast.lysator.liu.se (slartibartfast.lysator.liu.se
 [IPv6:2001:6b0:17:f0a0::df])
 by mail.lysator.liu.se (Postfix) with SMTP id 6250E40004;
 Thu, 25 Mar 2021 17:21:40 +0100 (CET)
Received: by slartibartfast.lysator.liu.se (sSMTP sendmail emulation);
 Thu, 25 Mar 2021 17:21:40 +0100
From: nisse@lysator.liu.se (Niels Möller)
To: Ludovic Courtès <ludo@gnu.org>
Subject: Re: bug#47222: Serious bug in Nettle's ecdsa_verify
References: <cpfmtuwlv0k.fsf@slartibartfast.lysator.liu.se>
 <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org>
Date: Thu, 25 Mar 2021 17:21:40 +0100
In-Reply-To: <87h7kzblxk.fsf_-_@gnu.org> ("Ludovic Courtès"'s message of "Thu, 25 Mar 2021 10:51:51 +0100")
Message-ID: <cpfh7kzjjaj.fsf@slartibartfast.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 47222
Cc: 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Ludovic Courtès <ludo@gnu.org> writes:

> Are there plans to make a new 3.5 release including these fixes?

No, I don't plan any 3.5.x release.

> Alternatively, could you provide guidance as to which commits should be
> cherry-picked in 3.5 for downstream distros?

Look at the branch release-3.7-fixes
(https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/).
The commits since 3.7.1 are the ones you need.

Changes to gostdsa and ed448 will not apply, since those curves didn't
exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to
refactoring when adding ed448.

> I’m asking because in Guix, the easiest way for us to deploy the fixes
> on the ‘master’ branch would be by “grafting” a new Nettle variant
> ABI-compatible with 3.5.1, which is the one packages currently depend on.

I still recommend upgrading to the latest version. There were an abi
break in 3.6 (so you'd need to recompile lots of guix packages), but no
incompatible changes to the (source level) api.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:35:40 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#47222 Serious bug in Nettle's ecdsa_verify