Bug 730752 (CVE-2020-36421, CVE-2020-36422, CVE-2020-36423)

Summary:	<net-libs/mbedtls-{2.16.7,2.23.0}: Multiple vulnerabilities (CVE-2020-{36421,36422,36423})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ajak, blueness
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/17764
Whiteboard:	B4 [glsa+ cve]
Package list:	net-libs/mbedtls-2.16.7-r1 amd64 arm64 ppc64 x86 net-libs/mbedtls-2.23.0-r1 amd64 arm64 ppc64 x86	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	740108

Description Sam James archtester

2020-07-04 18:49:20 UTC

Release notes:
* 2.16.7: https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.16.7
* 2.23.0: https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.23.0

"Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in 3394.

    Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.

    Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in 3246."

See https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07 for details on the first vulnerability.

Comment 1 Sam James archtester

2020-07-04 18:50:24 UTC

Let us know when ready to stable, thanks!

Comment 2 Anthony Basile gentoo-dev

2020-07-05 15:11:16 UTC

(In reply to Sam James (sec padawan) from comment #1)
> Let us know when ready to stable, thanks!

They should be ready.

KEYWORDS="amd64 arm arm64 ppc ppc64 x86"

Comment 3 Sam James archtester

2020-07-05 16:36:02 UTC

(In reply to Anthony Basile from comment #2)
> (In reply to Sam James (sec padawan) from comment #1)
> > Let us know when ready to stable, thanks!
> 
> They should be ready.
> 
> KEYWORDS="amd64 arm arm64 ppc ppc64 x86"

Thanks!

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2020-07-08 07:50:01 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-07-09 08:04:38 UTC

arm stable

Comment 6 Sam James archtester

2020-07-17 00:05:43 UTC

amd64, ppc64, x86: ping

Comment 7 Sam James archtester

2020-07-17 01:21:44 UTC

arm64 stable

Comment 8 Sam James archtester

2020-07-17 01:39:01 UTC

ppc64 stable

Comment 9 Sam James archtester

2020-07-17 23:30:21 UTC

x86 stable

Comment 10 Sam James archtester

2020-07-17 23:30:44 UTC

amd64 stable

----
Please cleanup.

Comment 11 Sam James archtester

2020-07-26 15:58:12 UTC

GLSA vote: yes

Comment 12 John Helmert III archtester

2020-09-21 03:28:21 UTC

Ping

Comment 13 Larry the Git Cow gentoo-dev

2020-10-04 14:01:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2eec5b536cc676a688ff316087a71c31d4ffe303

commit 2eec5b536cc676a688ff316087a71c31d4ffe303
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-10-04 02:12:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-04 14:00:01 +0000

    net-libs/mbedtls: security cleanup
    
    Bug: https://bugs.gentoo.org/730752
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/17764
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/mbedtls/Manifest                 |  2 -
 net-libs/mbedtls/mbedtls-2.16.6.ebuild    | 94 -------------------------------
 net-libs/mbedtls/mbedtls-2.22.0-r1.ebuild | 94 -------------------------------
 3 files changed, 190 deletions(-)

Comment 14 NATTkA bot gentoo-dev

2020-10-31 12:08:56 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: net-libs/mbedtls-2.16.7-r1

Comment 15 NATTkA bot gentoo-dev

2021-04-01 20:12:44 UTC

Unable to check for sanity:

> no match for package: net-libs/mbedtls-2.16.7-r1

Comment 16 John Helmert III archtester

2021-07-18 18:48:58 UTC

CVEs requested for these.

Comment 17 John Helmert III archtester

2021-07-19 15:27:34 UTC

(In reply to Sam James from comment #0)
> Release notes:
> * 2.16.7: https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.16.7
> * 2.23.0: https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.23.0
> 
> "Fix a side channel vulnerability in modular exponentiation that could
> reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
> Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of
> Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
> Strackx (Fortanix) in 3394.

CVE-2020-37421

>     Fix side channel in mbedtls_ecp_check_pub_priv() and
> mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
> key that didn't include the uncompressed public key), as well as
> mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
> f_rng argument. An attacker with access to precise enough timing and memory
> access information (typically an untrusted operating system attacking a
> secure enclave) could fully recover the ECC private key. Found and reported
> by Alejandro Cabrera Aldaya and Billy Brumley.

CVE-2020-36422

>     Fix issue in Lucky 13 counter-measure that could make it ineffective
> when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
> macros). This would cause the original Lucky 13 attack to be possible in
> those configurations, allowing an active network attacker to recover
> plaintext after repeated timing measurements under some conditions. Reported
> and fix suggested by Luc Perneel in 3246."

CVE-2020-36423

> See
> https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-
> advisory-2020-07 for details on the first vulnerability.

Comment 18 Larry the Git Cow gentoo-dev

2022-08-11 03:53:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2aa8d23c8600f65ddf12a27696c2b4b99babbd79

commit 2aa8d23c8600f65ddf12a27696c2b4b99babbd79
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-11 03:50:22 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-11 03:50:22 +0000

    profiles: last rite app-admin/logcheck
    
    Bug: https://bugs.gentoo.org/730752
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 19 John Helmert III archtester

2022-08-11 03:54:51 UTC

(In reply to Larry the Git Cow from comment #18)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=2aa8d23c8600f65ddf12a27696c2b4b99babbd79
> 
> commit 2aa8d23c8600f65ddf12a27696c2b4b99babbd79
> Author:     John Helmert III <ajak@gentoo.org>
> AuthorDate: 2022-08-11 03:50:22 +0000
> Commit:     John Helmert III <ajak@gentoo.org>
> CommitDate: 2022-08-11 03:50:22 +0000
> 
>     profiles: last rite app-admin/logcheck
>     
>     Bug: https://bugs.gentoo.org/730752
>     Signed-off-by: John Helmert III <ajak@gentoo.org>
> 
>  profiles/package.mask | 5 +++++
>  1 file changed, 5 insertions(+)

Sorry, wrong bug

Comment 20 John Helmert III archtester

2022-12-22 23:46:58 UTC

GLSA request filed.

Comment 21 Larry the Git Cow gentoo-dev

2023-01-11 05:22:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f524f5fa47d9d739280d4530623a93084918da39

commit f524f5fa47d9d739280d4530623a93084918da39
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:19:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:06 +0000

    [ GLSA 202301-08 ] Mbed TLS: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/730752
    Bug: https://bugs.gentoo.org/740108
    Bug: https://bugs.gentoo.org/764317
    Bug: https://bugs.gentoo.org/778254
    Bug: https://bugs.gentoo.org/801376
    Bug: https://bugs.gentoo.org/829660
    Bug: https://bugs.gentoo.org/857813
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-08.xml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

Comment 22 John Helmert III archtester

2023-01-11 05:24:41 UTC

GLSA released, all done!