From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id OPH+E7e4XGCmGwAAgWs5BA (envelope-from ) for ; Thu, 25 Mar 2021 17:22:15 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 0PuhD7e4XGAnIwAAbx9fmQ (envelope-from ) for ; Thu, 25 Mar 2021 16:22:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A85C212FA7 for ; Thu, 25 Mar 2021 17:22:14 +0100 (CET) Received: from localhost ([::1]:52050 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPSkP-0007LE-Nw for larch@yhetil.org; Thu, 25 Mar 2021 12:22:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54868) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPSkE-0007JJ-KT for bug-guix@gnu.org; Thu, 25 Mar 2021 12:22:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:56110) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPSkE-0006Jh-C2 for bug-guix@gnu.org; Thu, 25 Mar 2021 12:22:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lPSkE-00049x-8h for bug-guix@gnu.org; Thu, 25 Mar 2021 12:22:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47222: Serious bug in Nettle's ecdsa_verify Resent-From: nisse@lysator.liu.se (Niels =?UTF-8?Q?M=C3=B6ller?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Mar 2021 16:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161668930515967 (code B ref 47222); Thu, 25 Mar 2021 16:22:02 +0000 Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 16:21:45 +0000 Received: from localhost ([127.0.0.1]:39423 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSjx-00049T-Ck for submit@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:45 -0400 Received: from mail.lysator.liu.se ([130.236.254.3]:53475) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSjv-00049K-9W for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:43 -0400 Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 9EC6040008; Thu, 25 Mar 2021 17:21:41 +0100 (CET) Received: from slartibartfast.lysator.liu.se (slartibartfast.lysator.liu.se [IPv6:2001:6b0:17:f0a0::df]) by mail.lysator.liu.se (Postfix) with SMTP id 6250E40004; Thu, 25 Mar 2021 17:21:40 +0100 (CET) Received: by slartibartfast.lysator.liu.se (sSMTP sendmail emulation); Thu, 25 Mar 2021 17:21:40 +0100 From: nisse@lysator.liu.se (Niels =?UTF-8?Q?M=C3=B6ller?=) References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> Date: Thu, 25 Mar 2021 17:21:40 +0100 In-Reply-To: <87h7kzblxk.fsf_-_@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Thu, 25 Mar 2021 10:51:51 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV using ClamSMTP X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616689334; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=Pc2miLbGd9h8Xx4vjlPorWL7KB9e7Eir1yqI+G0GK70=; b=NcDZV+z5kIroWWeZXNT73COsqZ4xubbz1K6IZji6M+yamScshe37kxgv7bHurmZkfxTEvb ITvxuZ6sFze1A9acSZzb6gAUbSkImVUg9ZJvmOA27B2EKfHoQOtDjl1riG3nBbrblA6dPM X5pTPs/mnkLE1wxWLISHTFng8zQ13KMqa0sSy3rzUF4lfIFQ+fmqHV8At+2nYqoLefQY6l vb8MbXP947tYl2ZTQMq39iowGK8fhvzdUJhd0S1JIDngrtGYDXb22a3tLAKm3aGsDTu52y 6oNfGclPJ891kP+OcHSErfnZftxsLN3QH0fG0kN9WZX1P1f5jtTFis1rMnWq0g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616689334; a=rsa-sha256; cv=none; b=gS+QK7uizL8X387HyWtS8zZ+Qe2blM5eWUWPbZXUJpxvgB7751qA1l5RunCH6F+5css/+t qvQSAztNKi0y+o0/QXjqZaJXyGTtuZakny6kLaxaqUNoKTNkmgQT1conCXr7tBVw2iE3Uj 2PJgBqy9v3jXfM+fyfShV1CySLOuOoYScQrBfeIgseDbrk8WHBpepaAACWmhRGDs7sxNRm P/SNfXSVjNk0YVblQkx8v2XRsa4LrxmycE4xz5wlQm+1PkkAKnS9kXCKpXmi8QTnC5P+67 jBCMx3BMlCMcyQx6gq2j0dbMPK6L1J5dKSeHyX1yuGbQPnJw6+gwz9em3141mA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=liu.se (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.32 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=liu.se (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: A85C212FA7 X-Spam-Score: -2.32 X-Migadu-Scanner: scn0.migadu.com X-TUID: ZMPKR9FBqYDE Ludovic Court=C3=A8s writes: > Are there plans to make a new 3.5 release including these fixes? No, I don't plan any 3.5.x release. > Alternatively, could you provide guidance as to which commits should be > cherry-picked in 3.5 for downstream distros? Look at the branch release-3.7-fixes (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/). The commits since 3.7.1 are the ones you need. Changes to gostdsa and ed448 will not apply, since those curves didn't exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to refactoring when adding ed448. > I=E2=80=99m asking because in Guix, the easiest way for us to deploy the = fixes > on the =E2=80=98master=E2=80=99 branch would be by =E2=80=9Cgrafting=E2= =80=9D a new Nettle variant > ABI-compatible with 3.5.1, which is the one packages currently depend on. I still recommend upgrading to the latest version. There were an abi break in 3.6 (so you'd need to recompile lots of guix packages), but no incompatible changes to the (source level) api. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.