Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 702930 (CVE-2019-14318)

Summary: dev-libs/crypto++: vulnerable to private key recovery (CVE-2019-14318)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: crypto+disabled, noloader, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [upstream cve]
Package list:
Runtime testing required: ---
Bug Depends on: 762241    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-14 21:38:12 UTC 
CVE-2019-14318 (https://nvd.nist.gov/vuln/detail/CVE-2019-14318):
  Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature
  generation. This allows a local or remote attacker, able to measure the
  duration of hundreds to thousands of signing operations, to compute the
  private key used. The issue occurs because scalar multiplication in ecp.cpp
  (prime field curves, small leakage) and algebra.cpp (binary field curves,
  large leakage) is not constant time and leaks the bit length of the scalar
  among other information.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-20 02:51:28 UTC 
Based on https://github.com/weidai11/cryptopp/issues/869#issuecomment-568790184, it seems it is not appropriate to apply any patches until a release is made.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-20 11:30:49 UTC 
8.3 is out now! Adopted the package. I'll work on the bump later.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-27 23:56:03 UTC 
ppc done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-28 08:17:22 UTC 
arm64 done
Comment 5 NATTkA bot gentoo-dev Security 2020-12-29 07:49:12 UTC 
Unable to check for sanity:

> package masked: dev-libs/crypto++-8.3.0
Comment 6 Rolf Eike Beer archtester 2020-12-29 20:06:53 UTC 
~hppa is fine
Comment 7 Larry the Git Cow gentoo-dev 2021-01-02 07:12:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98694720dc1c5c4e9d194d3c6fe01a4faac442b1

commit 98694720dc1c5c4e9d194d3c6fe01a4faac442b1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-02 07:08:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-02 07:08:41 +0000

    dev-libs/crypto++: bump to 8.4.0
    
    Notes:
    * This increments the subslot to 8.4 because of
      the (unintentional) ABI breakage in 8.3.
    
    * The CVE is no longer fixed as the change
      had to be reverted upstream.
    
    Bug: https://bugs.gentoo.org/702930
    Closes: https://bugs.gentoo.org/762241
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/crypto++/Manifest                                         | 2 +-
 dev-libs/crypto++/{crypto++-8.3.0.ebuild => crypto++-8.4.0.ebuild} | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
Comment 8 Jeffrey Walton 2021-01-02 07:24:00 UTC 
Crypto++ is tracking that damn timing leak at https://github.com/weidai11/cryptopp/issues/994. The 994 issue triggered the revert of the constant-time code that was defective.

And for completeness, CVE-2019-14318 is active again and being worked under Issue 994.