Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 573646 (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805)

Summary: <dev-libs/nettle-3.2: Miscalculations of elliptic curve multiplications (CVE-2015-8803,CVE-2015-8804,CVE-2015-8805)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
nettle-3.2.ebuild
none
nettle-3.2.ebuild.diff none

Description Hanno Böck gentoo-dev 2016-02-02 09:58:20 UTC 
See
https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html

Three bugs in the ecc code have been fixed in nettle 3.2 that could lead to wrong results on ecc point/scalar multiplications.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-02-03 13:32:26 UTC 
Created attachment 424538 [details]
nettle-3.2.ebuild

Ebuild for nettle-3.2 bumped to EAPI-6

Please check this ebuild thoroughly as I am neither very familiar with EAPI-6 nor with the involved multilib eclasses.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-02-03 13:34:13 UTC 
Created attachment 424540 [details, diff]
nettle-3.2.ebuild.diff

Diff between nettle-3.1.1 ebuild and the attached one.
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 13:38:59 UTC 
What is the purpose of eap-6? We won't be able to stabilize it.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-03 14:17:33 UTC 
(In reply to Alon Bar-Lev from comment #3)
> What is the purpose of eap-6? We won't be able to stabilize it.

EAPI 6 can be stabilized since portage 2.2.26 went stable on 2016-01-17
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 20:45:50 UTC 
Thanks! I did not know that.
Comment 6 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 20:47:06 UTC 
Opps... this is a security bug.
Comment 7 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 20:47:35 UTC 
Version bump completed.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-04 11:30:01 UTC 
(In reply to Alon Bar-Lev from comment #7)
> Version bump completed.

Thank you.

Arches, please stabilize
=dev-libs/nettle-3.2
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-02-04 12:05:43 UTC 
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2016-02-04 16:05:38 UTC 
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-02-04 16:06:04 UTC 
x86 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-05 05:48:37 UTC 
Stable for PPC64.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-05 05:59:09 UTC 
Stable for HPPA.
Comment 14 Markus Meier gentoo-dev 2016-02-14 17:22:46 UTC 
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-03-16 12:06:23 UTC 
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-03-19 11:38:57 UTC 
sparc stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-03-20 12:02:38 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Alon Bar-Lev (RETIRED) gentoo-dev 2016-06-04 19:16:42 UTC 
Cleaned up.