Bug 711180 (CVE-2019-16910)

Summary:	<net-libs/mbedtls-2.19.0: use of RNG with insufficient entropy allows to recover private key vise side-channel attack (CVE-2019-16910)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	blueness
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=714582
Whiteboard:	B4 [noglsa cve]
Package list:	net-libs/mbedtls-2.19.1-r2	Runtime testing required:	---
Bug Depends on:	712704
Bug Blocks:

Description Sam James archtester

2020-03-01 17:07:33 UTC

Description:
"Mbed TLS does not have a constant-time/constant-trace arithmetic library and uses blinding to protect against side channel attacks.

In the ECDSA signature routine previous Mbed TLS versions used the same RNG object for generating the ephemeral key pair and for generating the blinding values. The deterministic ECDSA function reused this by passing the RNG object created from the private key and the message to be signed as prescribed by RFC 6979. This meant that the same RNG object was used whenever the same message was signed, rendering the blinding ineffective."

Further,
"Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)"

Affected versions (see https://www.cvedetails.com/cve/CVE-2019-16910/):
- <2.19.0
- <2.18.1
- 2.17.0
- <2.16.3
- 2.12.0
- 2.10.0

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-02 22:29:53 UTC

@ maintainer(s): Can we start stabilization?

Comment 2 Anthony Basile gentoo-dev

2020-03-03 00:46:53 UTC

(In reply to Thomas Deutschmann from comment #1)
> @ maintainer(s): Can we start stabilization?

Its ready. KEYWORDS="amd64 arm arm64 ia64 ppc ppc64 x86"

Comment 3 Agostino Sarubbo gentoo-dev

2020-03-03 11:46:37 UTC

x86 stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-03-03 12:39:53 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-03-03 12:40:59 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-03-03 13:41:46 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-03-03 14:38:42 UTC

ppc64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-03-04 08:08:07 UTC

ia64 stable

Comment 9 Mart Raudsepp gentoo-dev

2020-03-13 22:11:14 UTC

arm64 stable

Comment 10 Sam James archtester

2020-03-13 22:12:21 UTC

Thanks arches.

@maintainer(s), can we cleanup?

Comment 11 Anthony Basile gentoo-dev

2020-03-15 01:15:38 UTC

(In reply to sam_c (Security Padawan) from comment #10)
> Thanks arches.
> 
> @maintainer(s), can we cleanup?

done

Comment 12 Sam James archtester

2020-03-15 01:19:29 UTC

(In reply to Anthony Basile from comment #11)
> (In reply to sam_c (Security Padawan) from comment #10)
> > Thanks arches.
> > 
> > @maintainer(s), can we cleanup?
> 
> done

Thanks!

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-15 02:54:06 UTC

GLSA Vote: No!

Repository is clean, all done!

Comment 14 Sam James archtester

2020-03-15 03:19:30 UTC

Reopening because 2.17.0 was restored due to breaking net-p2p/fms:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6d437cfc5afcba4b4fb5eb539f28d93bedd71e4

Comment 15 NATTkA bot gentoo-dev

2020-04-06 11:25:11 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 16 NATTkA bot gentoo-dev

2020-05-25 21:24:46 UTC

Unable to check for sanity:

> no match for package: net-libs/mbedtls-2.19.1-r2

Comment 17 Sam James archtester

2020-05-25 21:32:56 UTC

Thanks :)

Comment 18 Sam James archtester

2020-07-04 18:43:22 UTC

We're all clean here. Closing.