Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487170 (CVE-2013-5915) - <net-libs/polarssl-1.3.0: Information disclosure of RSA private keys (CVE-2013-5915)
Summary: <net-libs/polarssl-1.3.0: Information disclosure of RSA private keys (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2013-5915
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://polarssl.org/tech-updates/sec...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 487432
Blocks:
  Show dependency tree
 
Reported: 2013-10-07 00:12 UTC by GLSAMaker/CVETool Bot
Modified: 2013-11-22 17:54 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-07 00:12:12 UTC
CVE-2013-5915 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5915):
  The RSA-CRT implementation in PolarSSL before 1.2.9 does not properly
  perform Montgomery multiplication, which might allow remote attackers to
  conduct a timing side-channel attack and retrieve RSA private keys.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-10-07 15:02:25 UTC
Version Prior to PolarSSL 1.2.9 and 1.3.0 are affected.

PolarSSL recommends upgrade to 1.3.0 (In URL)"We strongly advise you to consider upgrading to the 1.3 branch if outside parties are present or can connect to your network."
Comment 2 Thomas Sachau gentoo-dev 2013-10-07 18:16:47 UTC
polarssl-1.3.0 added
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2013-10-08 16:20:20 UTC
Thomas are you ready to stabilize 1.3.0?
Comment 4 Thomas Sachau gentoo-dev 2013-10-08 17:56:40 UTC
arches, please stabilize:

=net-libs/polarssl-1.3.0

target keywords="amd64 arm hppa ppc ppc64 ~s390 sparc x86 ~amd64-fbsd ~x86-fbsd"
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-09 05:45:17 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-10-09 11:17:11 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-09 11:19:11 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-09 17:11:00 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-13 10:32:23 UTC
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-13 13:20:37 UTC
Stable for HPPA.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-13 15:36:28 UTC
Added to existing GLSA draft, should be ready to send after this bug is [glsa].
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-14 06:17:03 UTC
ppc stable
Comment 13 Thomas Sachau gentoo-dev 2013-10-14 17:03:06 UTC
old version removed
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-10-17 09:03:33 UTC
This issue was resolved and addressed in
 GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 15 Julian Ospald 2013-11-22 13:57:38 UTC
you broke a stable reverse dep (media-sound/umurmur) and did not notify me about this

do people still not test reverse deps of libraries? Sure this is a security bug. But there would have been a solution, like masking "polarssl" useflag in media-sound/umurmur.