From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id yBadM9NBbGADqQAAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 06 Apr 2021 13:11:15 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id YHh8LdNBbGAzCgAA1q6Kng
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 06 Apr 2021 11:11:15 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 3A9141A25A
	for <larch@yhetil.org>; Tue,  6 Apr 2021 13:11:15 +0200 (CEST)
Received: from localhost ([::1]:43280 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lTjc2-00006w-EL
	for larch@yhetil.org; Tue, 06 Apr 2021 07:11:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:47442)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lTjbt-00006f-Mn
 for bug-guix@gnu.org; Tue, 06 Apr 2021 07:11:05 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:56054)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lTjbr-0003cz-95
 for bug-guix@gnu.org; Tue, 06 Apr 2021 07:11:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lTjbq-000832-4F
 for bug-guix@gnu.org; Tue, 06 Apr 2021 07:11:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47222: Serious bug in Nettle's ecdsa_verify
References: <87blbhia4i.fsf@netris.org>
In-Reply-To: <87blbhia4i.fsf@netris.org>
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 06 Apr 2021 11:11:02 +0000
Resent-Message-ID: <handler.47222.B47222.161770740530865@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 47222
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: security
To: 47222@debbugs.gnu.org
Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161770740530865
 (code B ref 47222); Tue, 06 Apr 2021 11:11:02 +0000
Received: (at 47222) by debbugs.gnu.org; 6 Apr 2021 11:10:05 +0000
Received: from localhost ([127.0.0.1]:39367 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lTjav-00081l-46
 for submit@debbugs.gnu.org; Tue, 06 Apr 2021 07:10:05 -0400
Received: from mail.zaclys.net ([178.33.93.72]:50867)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lTjat-00081D-Q7
 for 47222@debbugs.gnu.org; Tue, 06 Apr 2021 07:10:04 -0400
Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136B9vcI047022
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <47222@debbugs.gnu.org>; Tue, 6 Apr 2021 13:09:57 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136B9vcI047022
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617707397;
 bh=eD5u1thn1KULsubH2NMEXE/5NNvZSPXyYkh3s9Obh7s=;
 h=Subject:From:To:Date:From;
 b=gYmTDYNdOCQN1lqrn3wLU+7O73GL13C6xoWAhKMG2LeIdutZT3XCnyEe/NMBXdc3H
 O3RSJ2YLvICD92r9A1o/Zs4HUg3DVKU9suSwzeeVgebRWePu8A15ICHDzP/hDOcDlx
 taQx3t2CJPQYWdsEeyTl84B4uZ1SBdyVHnWB2C3A=
Message-ID: <082e0d953dd34519b597f675a72299c2e7a4917c.camel@zaclys.net>
Date: Tue, 06 Apr 2021 13:09:57 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-HqmND3dOCn/wpek35qNA"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
Reply-to:  =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
From:  =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1617707475;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=eD5u1thn1KULsubH2NMEXE/5NNvZSPXyYkh3s9Obh7s=;
	b=d8OHsaILLBWOU2XzwOlhGtHfyMPHcNRfKbUEoW57RdeSjhKGrOmA4VogFWBjtzXNotTjEA
	xIutuzLotgE48exz/2xi0FfLJIi8nHx58o9RrYl997d3ZQ1uFGUiIssVhMwLToRnsv4JJN
	E6cpwv7wsaqDr47Nap6quTdMDzTCn9JTNhEcK6Sz0z8m/NFteo1oSgEwyuxM7TOPypKYjo
	iEl/ur0rpE5hYQaT5h04qWbMnfsnH7T8errkJlf2hWUQheb7mdwTXwuOio29VfkVprmJQB
	yxWu5C0t+UuLSmhncOTpzK097Y430HH0TOXDfai46GXbqGiO31u5pZgqsrYlxw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617707475; a=rsa-sha256; cv=none;
	b=oVjbWYfmwrBeyju7yS3uGhta7ETyXKJY5hrvLomIjiQvVb7ckD80VgBrmsfdo6w7KhZ4VW
	SOKrl8K+tmXaZOnJ+W8LsADRSDhSAiMl3eh3Jg09nUj481PWdPKg4cV7IdIP7GGBzD2lnF
	Ct7wy56RuLqv1seUwQKUHn4z/LKJxEjQmoSRbOUOZc04geWuQ0+7rIMAPlZqnFb7hNLOu6
	acvB5Nve0uNLfjnCnYWCauIJ65oUGXHlIxNCAZOdVRxaedz5nD1RRJGfKHT2yt8Dqpf94m
	n2WYAjVTkRM0ELGehBdCfDBCQKtuue3rkeszY3vzugZ7XzmmIyAmElXfGcm6DQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=gYmTDYNd;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -3.54
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=gYmTDYNd;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 3A9141A25A
X-Spam-Score: -3.54
X-Migadu-Scanner: scn0.migadu.com
X-TUID: g2W3mZvRqlTQ


--=-HqmND3dOCn/wpek35qNA
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I am no expert cryptographer, it is likely that if I try backporting
such patches I will get something wrong that introduces more flaws.

https://security-tracker.debian.org/tracker/CVE-2021-20305 - no patch
backported yet
https://packages.ubuntu.com/source/focal/nettle - no patch backported
either

It would be best if Nettle adopted a forever (or almost) backwards
compatible ABI from now on like curl (https://curl.se/libcurl/abi.html)
so that such things don't happen again.

Thank you,
L=C3=A9o

--=-HqmND3dOCn/wpek35qNA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBsQYUACgkQRaix6GvN
EKakkBAAvmJ1Wl+TBstSjrbHZEx7m4daEkkuPMqLhGWZvaKZGn/N5EGZVMKQkjq+
vh7pzQkdr+9MZlkztnpp0r0FpB3oH1OT6EZSh62kWEe+uKgkJ7LxXeSM6rDScer3
5wvGfu+5u8KJQ55b+TKMdGkVdolUUC6Pt2yEPZF7ehmuxHqhBhC16qTfG4YlnZ1a
eA6QBmhGqmndHY7ou/GKWM0TtKYFDh1EJAiPVluRHBrtiRlx2GZy0K9BSjmCVo2I
YoqKUBXsI4CHLf4G4KInDTAil3duZPrTheENR7FAwJ1UcIQCHgJA4QCqCdVNt+BB
26fgVrYDXRTKt8iH9UeAY5Jo7m3rsUcjwpNatKLxyg8bGct8w+pfNjS0qsYkaQIU
9QDd4hig4vGrJvh9GRbRf9+DDLT5RPXkywgPG7Co0pBpCblgyGXpiZom5NDbNMej
L5dpTdaJfyEPW4zxhnQDsYkGi/jafYYZG8GpK57Tya7HpA1V1/OcEmDHdSQRVcy8
R6TZ7K1mXTF4GqDL8GTRK5sn430efQ9r5KUvFU+J/42mpV6kOasHbUipFhJQ1MVV
ztchyqxCUrtub1Ixs3oAUa7X/dkeScMP1HFPX3/SNP8RZhPnehM6Enb0Wh8H0DLg
Zyjs2cAhH0UCcL+XVT2VVg6UhCcwMwULqFVaizGTONgNLYPUwUA=
=yljb
-----END PGP SIGNATURE-----

--=-HqmND3dOCn/wpek35qNA--