Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573646 (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805) - <dev-libs/nettle-3.2: Miscalculations of elliptic curve multiplications (CVE-2015-8803,CVE-2015-8804,CVE-2015-8805)
Summary: <dev-libs/nettle-3.2: Miscalculations of elliptic curve multiplications (CVE-...
Alias: CVE-2015-8803, CVE-2015-8804, CVE-2015-8805
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2016-02-02 09:58 UTC by Hanno Böck
Modified: 2016-06-05 07:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

nettle-3.2.ebuild (nettle-3.2.ebuild,1.77 KB, text/plain)
2016-02-03 13:32 UTC, Lars Wendler (Polynomial-C) (RETIRED)
no flags Details
nettle-3.2.ebuild.diff (nettle-3.2.ebuild.diff,1.53 KB, patch)
2016-02-03 13:34 UTC, Lars Wendler (Polynomial-C) (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2016-02-02 09:58:20 UTC

Three bugs in the ecc code have been fixed in nettle 3.2 that could lead to wrong results on ecc point/scalar multiplications.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-02-03 13:32:26 UTC
Created attachment 424538 [details]

Ebuild for nettle-3.2 bumped to EAPI-6

Please check this ebuild thoroughly as I am neither very familiar with EAPI-6 nor with the involved multilib eclasses.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-02-03 13:34:13 UTC
Created attachment 424540 [details, diff]

Diff between nettle-3.1.1 ebuild and the attached one.
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 13:38:59 UTC
What is the purpose of eap-6? We won't be able to stabilize it.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-03 14:17:33 UTC
(In reply to Alon Bar-Lev from comment #3)
> What is the purpose of eap-6? We won't be able to stabilize it.

EAPI 6 can be stabilized since portage 2.2.26 went stable on 2016-01-17
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 20:45:50 UTC
Thanks! I did not know that.
Comment 6 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 20:47:06 UTC
Opps... this is a security bug.
Comment 7 Alon Bar-Lev (RETIRED) gentoo-dev 2016-02-03 20:47:35 UTC
Version bump completed.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-04 11:30:01 UTC
(In reply to Alon Bar-Lev from comment #7)
> Version bump completed.

Thank you.

Arches, please stabilize
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-02-04 12:05:43 UTC
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2016-02-04 16:05:38 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-02-04 16:06:04 UTC
x86 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-05 05:48:37 UTC
Stable for PPC64.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-05 05:59:09 UTC
Stable for HPPA.
Comment 14 Markus Meier gentoo-dev 2016-02-14 17:22:46 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-03-16 12:06:23 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-03-19 11:38:57 UTC
sparc stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-03-20 12:02:38 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Alon Bar-Lev (RETIRED) gentoo-dev 2016-06-04 19:16:42 UTC
Cleaned up.