Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 581324 (CVE-2016-2849, CVE-2016-2850)

Summary: <dev-libs/botan-{1.10.13,1.11.29}: two vulnerabilities (CVE-2016-2849,2850)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: alonbl, crypto+disabled, lloyd, proxy-maint
Priority: Normal Flags: kensington: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-04-27 08:26:13 UTC
From ${URL} :

The following issues were fixed in the 1.11.29 release of botan:

(CVE-2016-2849): ECDSA side channel

ECDSA (and DSA) signature algorithms perform a modular inverse on the signature nonce k. The modular inverse algorithm used had input dependent loops, and it is possible a side channel attack could recover sufficient information about the nonce to eventually 
recover the ECDSA secret key. Found by Sean Devlin.

Introduced in 1.7.15, fixed in 1.11.29

2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy

TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 
signature, even though the default policy prohibits it. The same issue affected client cert authentication.

The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy.

Introduced in 1.11.0, fixed in 1.11.29


Upstream patches:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2016-06-04 19:35:55 UTC
botan-1.11.29 in tree.
Lots of changes, we will have to wait for a while before stabilize.
Comment 2 Thomas Deutschmann gentoo-dev 2016-11-21 13:29:28 UTC
@ Maintainer(s): Can we please get an status update? The mask from 2013-09-13 is still place so it looks like no progress were made.
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2016-11-21 16:24:25 UTC
(In reply to Thomas Deutschmann from comment #2)
> @ Maintainer(s): Can we please get an status update? The mask from
> 2013-09-13 is still place so it looks like no progress were made.


    Current Development Work (1.11)
    Old Stable Series (1.10)

I do not entirely understand what is "old stable series".

There is a release of 1.10.13 that fixes some of the CVEs, is this sufficient to make it stable?

Version 1.10.13, 2016-04-23ΒΆ

    Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA (CVE-2016-2849)
    Use constant time PKCS #1 unpadding to avoid possible side channel attack against RSA decryption (CVE-2015-7827)
    Avoid a compilation problem in OpenSSL engine when ECDSA was disabled. Gentoo bug 542010

Otherwise we will stable the latest.

Comment 4 Thomas Deutschmann gentoo-dev 2016-11-21 18:03:46 UTC
@ Maintainer(s): For security it is enough to stabilize =dev-libs/botan-1.10.13. The v1.11 branch was never stable.

But if you want we can stabilize =dev-libs/botan-1.11.33 but then you have to cleanup previous versions, so make sure that v1.11.x works for all consumers...

Please let us know if you have decided how to proceed.
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2016-11-21 18:07:26 UTC
Ok, let's stabilize dev-libs/botan-1.10.13
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-22 11:31:29 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-22 11:32:47 UTC
x86 stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:19:13 UTC
CVE-2016-2849 (
  Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time
  algorithm to perform a modular inverse on the signature nonce k, which might
  allow remote attackers to obtain ECDSA secret keys via a timing side-channel
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-19 14:35:34 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-20 09:44:57 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-22 09:34:58 UTC
ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-09 14:11:09 UTC
Stable for HPPA.
Comment 13 Thomas Deutschmann gentoo-dev 2017-01-09 17:44:41 UTC
GLSA Vote: Yes

The possibility that an attacker could recover the ECDSA secret key warrants a GLSA.

New GLSA request filed.

@ Maintainer(s): Please drop =dev-libs/botan-1.10.12!
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2017-01-09 18:13:51 UTC
(In reply to Thomas Deutschmann from comment #13)
> @ Maintainer(s): Please drop =dev-libs/botan-1.10.12!

Comment 15 Thomas Deutschmann gentoo-dev 2017-01-09 19:51:40 UTC
@ Maintainer(s): Thank you!
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:24:22 UTC
This issue was resolved and addressed in
 GLSA 201701-23 at
by GLSA coordinator Aaron Bauman (b-man).