Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918663 (CVE-2023-5981) - <net-libs/gnutls-3.8.2: timing sidechannel in RSA-PSK key exchange
Summary: <net-libs/gnutls-3.8.2: timing sidechannel in RSA-PSK key exchange
Status: IN_PROGRESS
Alias: CVE-2023-5981
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa cleanup]
Keywords:
Depends on: 940086
Blocks:
  Show dependency tree
 
Reported: 2023-11-27 15:19 UTC by Christopher Fore
Modified: 2024-11-03 02:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2023-11-27 15:19:24 UTC 
CVE-2023-5981 (https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23):

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is affected. The issue was reported in the issue tracker as #1511.
Recommendation: To address the issue found upgrade to GnuTLS 3.8.2 or later versions.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 07:53:24 UTC 
Please only put versions in the summary (title) if they're in tree - we put the first fixed version in tree in the title.

3.8.2 is not yet in tree because of https://gitlab.com/gnutls/web-pages/-/issues/6.

Please also remember to CC maintainers of the package.
Comment 2 Larry the Git Cow gentoo-dev 2023-12-02 07:13:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61c319b35bf216baaaff57eb1aac7bfa6fc1fe20

commit 61c319b35bf216baaaff57eb1aac7bfa6fc1fe20
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-12-02 06:14:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-02 07:10:15 +0000

    net-libs/gnutls: add 3.8.2
    
    Bug: https://bugs.gentoo.org/918663
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/Manifest            |   2 +
 net-libs/gnutls/gnutls-3.8.2.ebuild | 142 ++++++++++++++++++++++++++++++++++++
 2 files changed, 144 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1061fd37f9491f2601a8b5b6c92ffc3a2f42d7c9

commit 1061fd37f9491f2601a8b5b6c92ffc3a2f42d7c9
Author:     Eli Schwartz <eschwartz93@gmail.com>
AuthorDate: 2023-11-30 04:16:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-02 07:10:14 +0000

    sec-keys/openpgp-keys-gnutls: add 20231129
    
    Pull updates of Daiki Ueno's key from the keyservers. The copy uploaded
    to the website is expired, so we merge the website copy and the single
    updated key together.
    
    Unblocks packaging of the recent gnutls update.
    
    Bug: https://gitlab.com/gnutls/web-pages/-/issues/6
    Bug: https://bugs.gentoo.org/918663
    Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 sec-keys/openpgp-keys-gnutls/Manifest              |  2 ++
 .../openpgp-keys-gnutls-20231129.ebuild            | 30 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)