Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 553808 (CVE-2015-2141)

Summary: <dev-libs/crypto++-5.6.2-r2: private key disclosure via timing attack (CVE-2015-2141)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2141
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-02 18:54:31 UTC 
From URL:
----
The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack.
----
https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff
http://sourceforge.net/p/cryptopp/code/542/

Reproducible: Always
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2015-07-02 19:14:15 UTC 
added: crypto++-5.6.2-r2
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:07:16 UTC 
@Maintainers: is -r2 ready for stabilisation?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:07:29 UTC 
@Maintainers: is -r2 ready for stabilisation?
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2015-07-05 20:14:42 UTC 
(In reply to stanley - Security Padawan from comment #3)
> @Maintainers: is -r2 ready for stabilisation?

r2 differs from r1 only by the fix for this CVE.

feel free to stabilize.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-07 04:26:52 UTC 
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-10 06:58:58 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-10 06:59:26 UTC 
x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 18:54:01 UTC 
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:28 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-07-23 09:39:43 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Manuel RĂ¼ger (RETIRED) gentoo-dev 2015-08-27 23:59:06 UTC 
Vulnerable removed.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:48:39 UTC 
Vote: no.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 21:56:21 UTC 
GLSA Vote: No