Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 688564 (CVE-2019-12904) - dev-libs/libgcrypt: Possible side channel attack for PPC: C implementation of AES is vulnerable to side-channel attacks
Summary: dev-libs/libgcrypt: Possible side channel attack for PPC: C implementation of...
Status: CONFIRMED
Alias: CVE-2019-12904
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://dev.gnupg.org/T4541
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-23 20:56 UTC by Kristian Fiskerstrand
Modified: 2019-06-23 20:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2019-06-23 20:56:02 UTC
From URL:

While working on PowerPC support (D490 D491 D492 D493) I noticed that the C implementation of AES is vulnerable to side-channel attacks. (described below)

My patches are not vulnerable to this, but users of libgcrypt on PowerPC *before* my patches are.

--

Following upstream development, question from WK;
"Andreas, I wonder on which grounds you assigned a CVE for this claimed side-channel attack. The mentioned paper is about an old RSA side-channel and not on AES. I would like to see more facts than the reference to a guy who knows PPC pretty well."

(fwiw, andreas didn't assign the CVE)