From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 4H4WCHOjV2DtMQAA0tVLHw (envelope-from ) for ; Sun, 21 Mar 2021 19:50:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id MHe+A3OjV2BeJQAAbx9fmQ (envelope-from ) for ; Sun, 21 Mar 2021 19:50:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 77CD82B47C for ; Sun, 21 Mar 2021 20:50:10 +0100 (CET) Received: from localhost ([::1]:35106 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lO45R-0000hs-Ho for larch@yhetil.org; Sun, 21 Mar 2021 15:50:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60808) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lO45K-0000hk-Pn for bug-guix@gnu.org; Sun, 21 Mar 2021 15:50:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:43978) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lO45K-0003ir-IQ for bug-guix@gnu.org; Sun, 21 Mar 2021 15:50:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lO45K-0008Hi-F6 for bug-guix@gnu.org; Sun, 21 Mar 2021 15:50:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47222: [Niels =?UTF-8?Q?M=C3=B6ller]?= ANNOUNCE: Nettle-3.7.2 In-Reply-To: <87blbhia4i.fsf@netris.org> Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 21 Mar 2021 19:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47222@debbugs.gnu.org Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161635617331809 (code B ref 47222); Sun, 21 Mar 2021 19:50:02 +0000 Received: (at 47222) by debbugs.gnu.org; 21 Mar 2021 19:49:33 +0000 Received: from localhost ([127.0.0.1]:55524 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lO44r-0008Gy-DR for submit@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:33 -0400 Received: from world.peace.net ([64.112.178.59]:35174) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lO44p-0008Gl-58 for 47222@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:31 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lO44i-0001gt-4n; Sun, 21 Mar 2021 15:49:24 -0400 From: Mark H Weaver References: Date: Sun, 21 Mar 2021 15:47:47 -0400 Message-ID: <875z1kl24h.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616356210; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=1vSB5oh+CK1ZUZdC3wJlEp0vRiLo/cCSnTyo9xuw6fU=; b=ovLI60r6gAHi72XpEyo5I+HkreQ1ZvrMHm9+UclgSIGLy046B1tUU9srzaAjGk5++Gx2+V vlof1+O84qCIU3FHSgnggvlrOnAlrT7gvOReNl9VhlevNlsHirPguxMEY75YrIiu4ObiCK XsNPDgSy32eGU+mqq4WXCfKs2HnfB8XyIyR1KdNBgdW+MecAv/F1TYEVqVLyTnDspPhoVB 4eNS5pWGAiyINLrVSzWsg3yyqCIYbVKGOWsFp3uq3coa3bdI8No0u4wP2HrLrgVW5Rykzs 4tif1QhM0wndUM/4TiE2H8scfEXHdbfltFsjM/zdHo7hSIjtjb9ACz9j9XtSWQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616356210; a=rsa-sha256; cv=none; b=E1ZI+H4pY16DsqaxNBUKPt/jHoFAdxKRu9NI6fkGnqg/Qe4/JiU/aPbb+ym+6WN441mdpu 8PzY3lfKpgrNqgKzoDtLXBYLNBRsRStp6CtAt8VXUSjYU2ihHGhx5g1eHzJ3ko9hZtRrNx 6JG5V2LnRJzQQQBMpjnzGjN6Sk5Kyc9fimLFcH1zFwFNdU3sZOE3suxDIc0dPdPq8QaMzd v4Ww4emf5uuqeSR1qFF0UeSUos81FO/XLwOHB76RjBm897ly2CWXbyJpqgsHyWC29Qm/xL atwqYnxHEsecFkQixNzmrc1x6u2iZXUihtk1JpJ9IDQKwkpHcIAP7s668he/3w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.02 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 77CD82B47C X-Spam-Score: -3.02 X-Migadu-Scanner: scn0.migadu.com X-TUID: iMEygwSDn/eL --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable -------------------- Start of forwarded message -------------------- From: nisse@lysator.liu.se (Niels M=C3=B6ller) To: nettle-bugs@lists.lysator.liu.se, info-gnu@gnu.org Subject: ANNOUNCE: Nettle-3.7.2 Date: Sun, 21 Mar 2021 10:24:11 +0100 --=-=-= Content-Type: multipart/mixed; boundary="==-=-=" --==-=-= Content-Type: multipart/signed; boundary="===-=-=" --===-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've prepared a new bug-fix release of Nettle, a low-level cryptographics library, to fix a serious bug in the function to verify ECDSA signatures. Implications include an assertion failure, which could be used for denial-of-service, when verifying signatures on the secp_224r1 and secp521_r1 curves. More details in NEWS file below. Upgrading is strongly recomended. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.7.2.tar.gz Regards, /Niels NEWS for the Nettle 3.7.2 release This is a bugfix release, fixing a bug in ECDSA signature verification that could lead to a denial of service attack (via an assertion failure) or possibly incorrect results. It also fixes a few related problems where scalars are required to be canonically reduced modulo the ECC group order, but in fact may be slightly larger. Upgrading to the new version is strongly recommended. Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. It's trivial to construct alleged signatures that result in invalid intermediate values. It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis. Thanks to Guido Vranken for setting up the fuzzer tests that uncovered this problem. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.3 and libhogweed.so.6.3, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fixed bug in ecdsa_verify, and added a corresponding test case. * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. * Similar fixes to eddsa signatures. The problem is less severe for these curves, because (i) the potentially out or range value is derived from output of a hash function, making it harder for the attacker to to hit the narrow range of problematic values, and (ii) the ecc operations are inherently more robust, and my current understanding is that unless the corresponding assert is hit, the verify operation should complete with a correct result. * Fix to ecdsa_sign, which with a very low probability could return out of range signature values, which would be rejected immediately by a verifier. --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. --===-=-= Content-Type: application/pgp-signature; name=signature.asc Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRXpCQUVCQ2dBZEZpRUV5MGxpMEhEWGZY L0xpNk5pY2RqeC96YU1abmNGQW1CWEVMc0FDZ2tRY2RqeC96YU0KWm5lV2tRZi9hTXhBcVF2UC9p SnBKY1VmZ0gzQTZLMWhyVXp6czJ0VkVoQzQ3blhFc0ZQa0paVldFaUswS2t4UQpTZmo4UjdKNzlQ LzB4Q0N2NWVvRW1sbGNYZ0hIMitSQVUvdmtFTHVXUFMwTjZIS3NMQVBsQ2Y5THduWXVueXp0Ck84 WkdpZWZ4VEFMQVo5Z2tST3FLTm9RZWppa0ZOTFhmYjRlclcyRXJMQmdnZ1RiVFJVUmp4UlJRSDZ4 dU1lV20KVzZPQlhaZTMzOHNBcUJKMlBWYytiMzZ6eWVXWWZTd0EwUU91WXVndXVZSHNnZHBydk9V b1kzSldoSHJHdDYxbwpWZkE5bUtNVjZiVjNXZHJvcjdGMm1vejJSVTdFRVNoQlVaWkJBLzV6RUJE NEE4dE45MkZzT3YyRHV4emplYnk5CkJ6QU1EWHNWc3hXT29JMmE2K2RTbk52Z3E4ZlVrdz09Cj1U WTRQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ== --===-=-=-- --==-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline -- If you have a working or partly working program that you'd like to offer to the GNU project as a GNU package, see https://www.gnu.org/help/evaluation.html. --==-=-=-- --=-=-= Content-Type: text/plain -------------------- End of forwarded message -------------------- --=-=-=--