Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 416399 (CVE-2012-2130)

Summary: <net-libs/polarssl-1.1.3: Weak key generation (CVE-2012-2130)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: tommy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://polarssl.org/trac/wiki/SecurityAdvisory201201
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2012-05-17 14:40:56 UTC 
From the upstream advisory at $URL:

During code migration a bug was introduced in PolarSSL 0.99-pre4. As a result the generation of Diffie Hellman value X is weak on the client and server. Only a part of the value X is filled with random data, instead of the whole value. (Determined by the server Diffie Hellman parameters). In addition, MPI primes are only generated within a limited subspace of the full prime space. Again only a part of the prime is filled with random data, instead of the whole value.

Impact

When a weak X is generated the resulting Diffie Hellman key exchange is weaker. This makes it easier for an attacker to brute force the private value and thus the master secret. When the master secret is known, an attacker is able to modify and read all data in the secure channel.

MPI primes generated with mpi_gen_prime() are less secure. If rsa_gen_key() was used to generate RSA keys with PolarSSL, these keys are less secure as well. This only affects keys / primes generated within affected versions of PolarSSL, not keys generated in older versions or imported keys.

Resolution

PolarSSL version 1.1.2 contains a fix for the bug and generates full-size values of X and primes.

If you generated primes or RSA keys from within PolarSSL, re-generate and replace those primes / keys.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-05-17 14:44:28 UTC 
Thomas, thanks for the heads up and ack via IRC.

Arches, please test and mark stable:
=net-libs/polarssl-1.1.3
Target keywords : "amd64 hppa ppc ppc64 x86"
Comment 2 Michael Harrison 2012-05-18 19:47:54 UTC 
amd64 ok
Comment 3 Agostino Sarubbo gentoo-dev 2012-05-19 14:03:24 UTC 
amd64 stable
Comment 4 Mark Loeser (RETIRED) gentoo-dev 2012-05-20 07:07:27 UTC 
ppc/ppc64 done
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-21 04:24:26 UTC 
Stable for HPPA.
Comment 6 Johannes Huber (RETIRED) gentoo-dev 2012-05-21 22:19:43 UTC 
x86 stable
Comment 7 Thomas Sachau gentoo-dev 2012-05-22 21:15:56 UTC 
old versions removed, so all should be done on ebuild side
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-05-23 02:57:07 UTC 
Thanks, everyone. GLSA Vote: yes.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-11 19:45:33 UTC 
GLSA vote: yes.

Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-10-17 09:03:25 UTC 
This issue was resolved and addressed in
 GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).