Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605418 - <dev-libs/libressl-{2.3.10,2.4.5,2.5.4,2.6.1}: ECDSA P-256 timing attack key recovery (CVE-2016-7056)
Summary: <dev-libs/libressl-{2.3.10,2.4.5,2.5.4,2.6.1}: ECDSA P-256 timing attack key ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2016-7056
  Show dependency tree
 
Reported: 2017-01-11 21:55 UTC by Thomas Deutschmann
Modified: 2018-01-21 02:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-11 21:55:55 UTC
LibreSSL is vulnerable to an ECDSA P-256 timing attack. Please see the tracker bug 605414 for more details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-01-11 22:15:52 UTC
Fixed by: https://github.com/libressl-portable/openbsd/commit/3585681bd8ac343b7c357a932c9577988bca86b0

Not yet released/tagged.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 16:38:00 UTC
git tag --contains b5a26893d97d88
OPENBSD_6_1_BASE
libressl-v2.5.1
libressl-v2.5.2
libressl-v2.5.3
libressl-v2.5.4
libressl-v2.5.5
libressl-v2.6.0
libressl-v2.6.1

already fixed and stable in tree. 

@Maintainers we have SLOTs with affected versions, could you confirm if they are vulnerable?

Keywords for dev-libs/libressl:
       |                                 |   u      |  
       | a a         p   a     n r     s |   n      |  
       | l m   h i   p   r m m i i s   p | e u s    | r
       | p d a p a p c x m i 6 o s 3   a | a s l    | e
       | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o    | p
       | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t    | o
-------+---------------------------------+----------+-------
2.3.10 | o ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 o 0/38 | gentoo
-------+---------------------------------+----------+-------
 2.4.5 | o ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 # 0/39 | gentoo
 2.5.0 | ~ ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 o      | gentoo



Gentoo Security Padawan
ChrisADR
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-21 02:36:35 UTC
2.3.10 and 2.4.5 sources contain the fix as referenced above.  2.5.0 also solves the leak, but with different logic.

Tree does not need cleaned as these ebuild versions are not vulnerable.