From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
	Crypto Libraries
Date: Thu, 14 Jun 2018 15:22:11 -0400
Message-ID: <20180614192211.GA21522@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59600)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTXqp-0000Q2-Dy
	for bug-guix@gnu.org; Thu, 14 Jun 2018 15:24:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTXql-0008Ex-6w
	for bug-guix@gnu.org; Thu, 14 Jun 2018 15:24:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:40548)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fTXqk-0008EL-Tp
	for bug-guix@gnu.org; Thu, 14 Jun 2018 15:24:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTXqk-0001VK-IM
	for bug-guix@gnu.org; Thu, 14 Jun 2018 15:24:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.31831.B.15290042335765@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58221)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1fTXpO-0007gE-OD
	for bug-guix@gnu.org; Thu, 14 Jun 2018 15:23:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1fTXp0-0006kK-Hr
	for bug-guix@gnu.org; Thu, 14 Jun 2018 15:22:37 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43731)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1fTXp0-0006iT-1m
	for bug-guix@gnu.org; Thu, 14 Jun 2018 15:22:14 -0400
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
	[76.124.202.137])
	by mail.messagingengine.com (Postfix) with ESMTPA id 9CA0E1025C
	for <bug-guix@gnu.org>; Thu, 14 Jun 2018 15:22:12 -0400 (EDT)
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 31831@debbugs.gnu.org


--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Recently a new side-channel key extraction technique was published as
CVE-2018-0495, and it affects a lot of the cryptographic libraries we
package:

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/?style=Cyber+Security

An excerpt from that advisory:

------
We analyzed the source code of several open source cryptographic
libraries to see if they contain the vulnerable code pattern in the code
for ECDSA, DSA, or both. This list is accurate to the best of our
knowledge, but it is not exhaustive. Only the first group was affected
by this finding; the other three groups are not thought to be
vulnerable.

Contains vulnerable pattern: CryptLib (Both), LibreSSL (Both), Mozilla
NSS (Both), Botan (ECDSA), OpenSSL (ECDSA), WolfCrypt (ECDSA), Libgcrypt
(ECDSA), LibTomCrypt (ECDSA), LibSunEC (ECDSA), MatrixSSL (ECDSA),
BoringSSL (DSA)

Non-constant math, but different pattern: BouncyCastle, Crypto++, Golang
crypto/tls, C#/Mono, mbedTLS, Trezor Crypto, Nettle (DSA)

Constant time-math: Nettle (ECDSA), BearSSL, Libsecp256k1

Does not implement either: NaCl
------

Note that libtomcrypt is bundled in the Dropbear SSH implementation.

I'm going to test the libgcrypt update now.

I'd like for other Guix hackers to "claim" an affected package in this
thread, and then investigate and test the fixes. Please make new debbugs
tickets on guix-patches for each bug-fix patch you propose, and send the
links to those tickets here.

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsiwGMACgkQJkb6MLrK
fwgrLBAA5ip/y3YmzlBCH4+BBgI1k/vC62as7GvuB7mLKe58wSP0SAz+ueRz3DEC
MrRWN64trNSv5Ei8mAvwFmyNHyEd0KF7vagwPFfZKu+iH2jmOObbJmgPNfO5KyuK
rJux+vYBo1u9tcfrkEcyeWvKcwtaVrPNpsc9kD7w9tA8X4sPh0jYq+FJ+izT/poY
Ed2I+TLbGH5LKz0OX/6evRzybgW0vhhhrxexP2nfSlmS9xG4UPlUbbZTtzP2N8AH
XJI+syV7v3/WWBrseUH39I1kOw0+f6n4fhZHCUHYQ2JKj+QCpebQGuUAcPcnbEIc
YkykTNr6Ne2mHjVJNJ4HYdZG3jO/73ltkCvThERsxnY38AaqHbAJ5QCQWNPyjkgS
MAbDMauqY3veCprUMl6qJhIrHss2MBGHKTwzUJjcqDGlsY1+B+pcvSFOfSKwLTqs
CpU498lJ/HxmTFTa+K1X/+yzK0B1PwSMk1fiYnfbQCdx9IlUr4n0yUa5FmW61E8O
gc85KY14GFnq/NoRBJt7RIGm4g6KD1yAn3kqkAd2lEMAY3Vc9dtK78S5qfE4NacI
nZ8wGEyF2MwdpbIxRqhXkOzHY7VfEk9ybUjceEw/217SQFamJpx1TpH0Sk49xcIG
CG5K2sz1xSSQETPL4YIlmute8mqbLgl6HYCo3AQeCeLsDoeP2oc=
=qwNO
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--