Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673056 (CVE-2018-5407) - <dev-libs/openssl-1.0.2q: side-channel vulnerability (CVE-2018-5407)
Summary: <dev-libs/openssl-1.0.2q: side-channel vulnerability (CVE-2018-5407)
Status: RESOLVED FIXED
Alias: CVE-2018-5407
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.openssl.org/news/secadv/2...
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-13 05:38 UTC by D'juan McDonald (domhnall)
Modified: 2019-03-14 01:35 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/openssl-1.0.2q
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-12-13 05:38:48 UTC 
A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.


references:
https://bugzilla.redhat.com/show_bug.cgi?id=1645695


Gentoo Security Padawan
(domhnall)
Comment 1 Agostino Sarubbo gentoo-dev 2018-12-14 15:38:20 UTC 
since the advisory does not mention that, ftr, it is fixed in 1.0.2q
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-28 20:00:21 UTC 
hppa stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-28 20:19:44 UTC 
amd64 stable
Comment 4 Rolf Eike Beer archtester 2018-12-29 13:01:15 UTC 
sparc stable
Comment 5 Matt Turner gentoo-dev 2018-12-29 18:02:31 UTC 
alpha stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-29 19:13:37 UTC 
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:07:59 UTC 
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:21:34 UTC 
ppc64 stable
Comment 9 Matt Turner gentoo-dev 2019-01-05 21:11:02 UTC 
ppc stable
Comment 10 Mart Raudsepp gentoo-dev 2019-01-06 22:26:46 UTC 
arm64 stable
Comment 11 Larry the Git Cow gentoo-dev 2019-01-07 18:44:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=604a6136f50362e5bcfabf4187ea945e2fdb43f3

commit 604a6136f50362e5bcfabf4187ea945e2fdb43f3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-01-07 18:44:35 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-01-07 18:44:35 +0000

    dev-libs/openssl: security cleanup
    
    Bug: https://bugs.gentoo.org/673056
    Package-Manager: Portage-2.3.54, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/openssl/Manifest                 |   5 -
 dev-libs/openssl/openssl-1.0.2p-r1.ebuild | 306 ------------------------------
 2 files changed, 311 deletions(-)
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2019-01-07 18:45:28 UTC 
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2019-03-14 01:35:31 UTC 
This issue was resolved and addressed in
 GLSA 201903-10 at https://security.gentoo.org/glsa/201903-10
by GLSA coordinator Aaron Bauman (b-man).