From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: OpenSSL / LibreSSL CVE-2016-7056
Date: Tue, 10 Jan 2017 13:16:52 -0500
Message-ID: <20170110181652.GA28153@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59909)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cR0yg-0006yG-2n
	for guix-devel@gnu.org; Tue, 10 Jan 2017 13:16:59 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cR0yc-0005AE-UF
	for guix-devel@gnu.org; Tue, 10 Jan 2017 13:16:58 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:35666)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cR0yc-00059y-Q8
	for guix-devel@gnu.org; Tue, 10 Jan 2017 13:16:54 -0500
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 269BE2423F
	for <guix-devel@gnu.org>; Tue, 10 Jan 2017 13:16:54 -0500 (EST)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

CVE-2016-7056 has been published:

http://seclists.org/oss-sec/2017/q1/52

Quoted from that email:

Attack Vector: Local

Vendor: OpenSSL, LibreSSL, BoringSSL

Versions Affected:
OpenSSL 1.0.1u and previous versions
LibreSSL (pre 6.0 errata 16, pre 5.9 errata 33)
BoringSSL pre November 2015

Description:
The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks
is vulnerable to timing attacks when signing with the standardized elliptic
curve P-256 despite featuring constant-time curve operations and modular inversion.
A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing
to take a secure code path in the BN_mod_inverse method and therefore resulting
in a cache-timing attack vulnerability.
A malicious user with local access can recover ECDSA P-256 private keys.

Mitigation:
Users of OpenSSL with the affected versions should apply
the patch available in the manuscript at [1].

Users of LibreSSL should apply the official patch from OpenBSD [2,3].

Users of BoringSSL should upgrade to a more recent version.

Credit:
This issue was reported by Cesar Pereida García and Billy Brumley
(Tampere University of Technology).

Timeline:
19 Dec 2016 Disclosure to OpenSSL, LibreSSL, BoringSSL security teams
29 Dec 2016 Embargo lifted

References:
[1] http://ia.cr/2016/1195
[2] https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig
[3] https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig