Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553808 (CVE-2015-2141) - <dev-libs/crypto++-5.6.2-r2: private key disclosure via timing attack (CVE-2015-2141)
Summary: <dev-libs/crypto++-5.6.2-r2: private key disclosure via timing attack (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2015-2141
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://web.nvd.nist.gov/view/vuln/de...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-02 18:54 UTC by Sam James
Modified: 2015-11-09 21:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-02 18:54:31 UTC
From URL:
----
The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack.
----
https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff
http://sourceforge.net/p/cryptopp/code/542/

Reproducible: Always
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2015-07-02 19:14:15 UTC
added: crypto++-5.6.2-r2
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:07:16 UTC
@Maintainers: is -r2 ready for stabilisation?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:07:29 UTC
@Maintainers: is -r2 ready for stabilisation?
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2015-07-05 20:14:42 UTC
(In reply to stanley - Security Padawan from comment #3)
> @Maintainers: is -r2 ready for stabilisation?

r2 differs from r1 only by the fix for this CVE.

feel free to stabilize.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-07 04:26:52 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-10 06:58:58 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-10 06:59:26 UTC
x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 18:54:01 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:28 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-07-23 09:39:43 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Manuel Rüger (RETIRED) gentoo-dev 2015-08-27 23:59:06 UTC
Vulnerable removed.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:48:39 UTC
Vote: no.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 21:56:21 UTC
GLSA Vote: No