573646 – (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805) <dev-libs/nettle-3.2: Miscalculations of elliptic curve multiplications (CVE-2015-8803,CVE-2015-8804,CVE-2015-8805)

Bug 573646 (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805) - <dev-libs/nettle-3.2: Miscalculations of elliptic curve multiplications (CVE-2015-8803,CVE-2015-8804,CVE-2015-8805)

Summary: <dev-libs/nettle-3.2: Miscalculations of elliptic curve multiplications (CVE-...

Status:	RESOLVED FIXED

Alias:	CVE-2015-8803, CVE-2015-8804, CVE-2015-8805

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://blog.fuzzing-project.org/38-M...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-02-02 09:58 UTC by Hanno Böck
Modified:	2016-06-05 07:22 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
nettle-3.2.ebuild (nettle-3.2.ebuild,1.77 KB, text/plain) 2016-02-03 13:32 UTC, Lars Wendler (Polynomial-C) (RETIRED)	no flags	Details
nettle-3.2.ebuild.diff (nettle-3.2.ebuild.diff,1.53 KB, patch) 2016-02-03 13:34 UTC, Lars Wendler (Polynomial-C) (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2016-02-02 09:58:20 UTC

See
https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html

Three bugs in the ecc code have been fixed in nettle 3.2 that could lead to wrong results on ecc point/scalar multiplications.

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-02-03 13:32:26 UTC

Created attachment 424538 [details]
nettle-3.2.ebuild

Ebuild for nettle-3.2 bumped to EAPI-6

Please check this ebuild thoroughly as I am neither very familiar with EAPI-6 nor with the involved multilib eclasses.

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-02-03 13:34:13 UTC

Created attachment 424540 [details, diff]
nettle-3.2.ebuild.diff

Diff between nettle-3.1.1 ebuild and the attached one.

Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev

2016-02-03 13:38:59 UTC

What is the purpose of eap-6? We won't be able to stabilize it.

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-03 14:17:33 UTC

(In reply to Alon Bar-Lev from comment #3)
> What is the purpose of eap-6? We won't be able to stabilize it.

EAPI 6 can be stabilized since portage 2.2.26 went stable on 2016-01-17

Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev

2016-02-03 20:45:50 UTC

Thanks! I did not know that.

Comment 6 Alon Bar-Lev (RETIRED) gentoo-dev

2016-02-03 20:47:06 UTC

Opps... this is a security bug.

Comment 7 Alon Bar-Lev (RETIRED) gentoo-dev

2016-02-03 20:47:35 UTC

Version bump completed.

Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-04 11:30:01 UTC

(In reply to Alon Bar-Lev from comment #7)
> Version bump completed.

Thank you.

Arches, please stabilize
=dev-libs/nettle-3.2
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2016-02-04 12:05:43 UTC

Stable on alpha.

Comment 10 Agostino Sarubbo gentoo-dev

2016-02-04 16:05:38 UTC

amd64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2016-02-04 16:06:04 UTC

x86 stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2016-02-05 05:48:37 UTC

Stable for PPC64.

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2016-02-05 05:59:09 UTC

Stable for HPPA.

Comment 14 Markus Meier gentoo-dev

2016-02-14 17:22:46 UTC

arm stable

Comment 15 Agostino Sarubbo gentoo-dev

2016-03-16 12:06:23 UTC

ppc stable

Comment 16 Agostino Sarubbo gentoo-dev

2016-03-19 11:38:57 UTC

sparc stable

Comment 17 Agostino Sarubbo gentoo-dev

2016-03-20 12:02:38 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 18 Alon Bar-Lev (RETIRED) gentoo-dev

2016-06-04 19:16:42 UTC

Cleaned up.