From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
	Crypto Libraries
Date: Mon, 16 Jul 2018 13:39:29 -0400
Message-ID: <20180716173929.GA24955@jasmine.lan>
References: <20180614195049.GB4039@jasmine.lan>
	<20180716062034.GA3973@jasmine.lan>
	<CAE4v=pi3GY239AEQYS4MmYgjBo-kHoA3+gx5TN009fcR_gmneQ@mail.gmail.com>
	<20180716171430.GA20978@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34673)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ff7Tk-0000PN-0b
	for bug-guix@gnu.org; Mon, 16 Jul 2018 13:40:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ff7Tf-00045d-2y
	for bug-guix@gnu.org; Mon, 16 Jul 2018 13:40:08 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:38976)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1ff7Te-00045P-P4
	for bug-guix@gnu.org; Mon, 16 Jul 2018 13:40:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ff7Te-0003k9-CP
	for bug-guix@gnu.org; Mon, 16 Jul 2018 13:40:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.31831.B31831.153176277514348@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <20180716171430.GA20978@jasmine.lan>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: =?UTF-8?Q?G=C3=A1bor?= Boskovits <boskovits@gmail.com>
Cc: 31831@debbugs.gnu.org


--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> libtomcrypt version 1.18.2 includes a fix; we would need to adapt this
> to the bundled copy in Dropbear. I can take a look at this today.

Dropbear's bundled libtomcrypt includes a variety of whitespace and
comment changes that make it non-trivial to compare the actual
differences between the codebases.

I'm not going to work on adapting the upstream patch for Dropbear, but
of course others are welcome to do it :) Otherwise I assume the Dropbear
team will include the fixes whenever they make a new release.

--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAltM2FEACgkQJkb6MLrK
fwhGjQ/+NKYomgpvn8e7q1b3LzFIDP3FcBc9512hNfFwEkY+i40IAD3bvB+W5+MI
kMTiFW2PX+7lILJnuPehwIrFTiy1FptAYNlhPbx/E/iEgrjOtj526L+acHYdNSoU
SU+abzLbkcxhes8FM5rMCDmB6YKy/bCaomo3sWKuwGtpSPqFlpbSpRVjWOkwi1Nl
bHMD/hOPsbmbILYbpfDVKzTuWS8jPeTb00QpJyWjnNZ2IkD+ORhiQ6KnntlzK8Gr
LIHJflM7YPq1y4DFHPdjAHYorVlO7Zl1Z04q2/bRBvE4ASuGbiQuAyxf29IBnW+E
HUuSauz/n5qs9C3+yIgBkvjphowoXeJ0zYouW6SxyzcyFBMpvoXO1Ehk8JjajCNx
g1o8kR45QUjsbZ7sA7RwfsKeTrBzSgzhmQy3A0Fc9zG/jYySL9o6RMmv8U5Pqz5K
a0bVqKIMBD99pEGO5bvKgLv1iFFGf6BQocF4rU2UXXTc0If3MLd3mRqPShjFGQju
3AvuapupFw8aLIfTzsmZcMdtT4PSK3lWybfISoE62E2pbyxYm5iyQwfeo68tM3lw
oNPb+TmtuELjeolmZHjiO2nQQfHihCjCkvCMuYUnh7GZsxjh4aR6bpBud34j9Ya7
NEBKnR/MCvCEdJdgcuWxzBH+vAZiMMmrrmTRrGktOr9uyHr32gc=
=ZdMv
-----END PGP SIGNATURE-----

--azLHFNyN32YCQGCU--