| Summary: | <dev-libs/botan-2.14.0: Side channel vulnerability during CBC padding | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | proxy-maint, sam |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://botan.randombit.net/security.html | ||
| See Also: |
https://github.com/gentoo/gentoo/pull/15455 https://github.com/gentoo/gentoo/pull/16285 |
||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 701120, 722904, 729580 | ||
| Bug Blocks: | |||
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8fc4d8db1640a47c0ee8e97b5e66545ea0f4b89 commit d8fc4d8db1640a47c0ee8e97b5e66545ea0f4b89 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-04-21 11:43:36 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-04-26 22:08:11 +0000 dev-libs/botan: Security bump to 2.14.0 Bug: https://bugs.gentoo.org/718596 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/botan/Manifest | 1 + dev-libs/botan/botan-2.14.0.ebuild | 102 +++++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) Will give this a few days just to see if anything pops up and then we'll stabilise. Looks to me like it got pushed straight to stable already. (In reply to Joonas Niilola from comment #3) > Looks to me like it got pushed straight to stable already. So it was, thank you. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1308fe84a3ea4e5acc6cc5579269581649778347 commit 1308fe84a3ea4e5acc6cc5579269581649778347 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-06-17 13:55:44 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-06-17 15:25:21 +0000 dev-libs/botan: cleanup old (to extent possible) This also drops the :0 slot. Cannot cleanup 2.9 because of stable qt-creator. Bug: https://bugs.gentoo.org/718596 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/16285 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/botan/Manifest | 2 - dev-libs/botan/botan-1.10.17-r2.ebuild | 160 --------------------------------- dev-libs/botan/botan-2.11.0.ebuild | 102 --------------------- dev-libs/botan/botan-2.14.0.ebuild | 102 --------------------- 4 files changed, 366 deletions(-) GLSA vote: no The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3002ff94b023e3c3028934d18bf95c4f055d80f commit e3002ff94b023e3c3028934d18bf95c4f055d80f Author: Sam James <sam@gentoo.org> AuthorDate: 2020-09-10 15:14:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-10 15:14:16 +0000 dev-libs/botan: security cleanup Bug: https://bugs.gentoo.org/718596 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/botan/Manifest | 1 - dev-libs/botan/botan-2.9.0.ebuild | 103 --------------------------- dev-libs/botan/files/botan-2.9.0-build.patch | 63 ---------------- 3 files changed, 167 deletions(-) Tree clean, closing. |
From URL: 2020-03-24: Side channel during CBC padding The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected. Reported by Maximilian Blochberger of Universität Hamburg. Fixed in 2.14.0, all prior versions affected.