Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 734986 (CVE-2020-12400, CVE-2020-12401, CVE-2020-12403) - <dev-libs/nss-3.55: Multiple vulnerabilities (CVE-2020-{12400,12401,12403})
Summary: <dev-libs/nss-3.55: Multiple vulnerabilities (CVE-2020-{12400,12401,12403})
Status: RESOLVED FIXED
Alias: CVE-2020-12400, CVE-2020-12401, CVE-2020-12403
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-31 18:54 UTC by David Denoncin
Modified: 2020-08-30 22:58 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/nspr-4.26 dev-libs/nss-3.55
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Denoncin 2020-07-31 18:54:16 UTC
* CVE-2020-12400:

Description:
"This is a side channel attack which can used to extract pirate keys when ECDSA signatures are being generated. This attack is only feasible when the attacker is local to the machine or in certain cross-VM scenarios where the signature is being generated. Attacks over the network or via the internet are not feasible."

* CVE-2020-12401:

Description:
"A timing attacker against ECDSA signature generation is able to obtain information from the secret nonce measuring the time an ECDSA signature generation takes."

* CVE-2020-12403:

From upstream:
"Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length".
Comment 1 Agostino Sarubbo gentoo-dev 2020-08-11 14:12:51 UTC
arm stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-08-11 14:14:06 UTC
s390 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-08-11 14:18:14 UTC
sparc stable
Comment 4 Sam James gentoo-dev Security 2020-08-11 16:18:07 UTC
arm64 done
Comment 5 Sam James gentoo-dev Security 2020-08-11 17:44:40 UTC
x86 done
Comment 6 Sam James gentoo-dev Security 2020-08-11 17:45:40 UTC
amd64 done
Comment 7 Sergei Trofimovich gentoo-dev 2020-08-14 21:06:00 UTC
hppa stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-08-19 11:10:32 UTC
This issue was resolved and addressed in
 GLSA 202008-08 at https://security.gentoo.org/glsa/202008-08
by GLSA coordinator Sam James (sam_c).
Comment 9 Sam James gentoo-dev Security 2020-08-19 11:10:52 UTC
Reopening for ppc{,64}.
Comment 10 ernsteiswuerfel 2020-08-21 17:00:14 UTC
Looking good on ppc.

 # cat nspr-734986.report 
USE tests started on Fr 21. Aug 14:50:42 CEST 2020

FEATURES=' test' USE='' succeeded for =dev-libs/nspr-4.26
USE='' succeeded for =dev-libs/nspr-4.26

FEATURES=' test' USE='' succeeded for =dev-libs/nss-3.55
USE='-cacert -utils' succeeded for =dev-libs/nss-3.55
USE='cacert -utils' succeeded for =dev-libs/nss-3.55
USE='-cacert utils' succeeded for =dev-libs/nss-3.55
USE='cacert utils' succeeded for =dev-libs/nss-3.55

revdep tests started on Fr 21. Aug 17:26:29 CEST 2020

FEATURES=' test' USE='' succeeded for dev-libs/volume_key
FEATURES=' test' USE='nsplugin' succeeded for media-video/gxine
merging test dependencies of mail-client/thunderbird failed
FEATURES=' test' USE='nss' succeeded for dev-libs/xmlsec
FEATURES=' test' USE='' succeeded for dev-lang/spidermonkey
FEATURES=' test' USE='ssl' succeeded for dev-util/systemtap
FEATURES=' test' USE='-gnutls' succeeded for net-im/pidgin
merging test dependencies of mail-client/thunderbird failed
FEATURES=' test' USE='nss' succeeded for dev-libs/apr-util
FEATURES=' test' USE='' succeeded for app-arch/rpm
FEATURES=' test' USE='nss' succeeded for dev-libs/xmlsec
FEATURES=' test' USE='' succeeded for sys-auth/libfprint
FEATURES=' test' USE='-gnutls' succeeded for net-im/pidgin
FEATURES=' test' USE='nss' succeeded for net-libs/liboauth
FEATURES=' test' USE='' succeeded for x11-plugins/pidgin-encryption
FEATURES=' test' USE='nss' succeeded for dev-libs/pkcs11-helper
FEATURES=' test' USE='cryptsetup escrow' succeeded for sys-libs/libblockdev
Comment 11 Sergei Trofimovich gentoo-dev 2020-08-23 08:12:29 UTC
ppc stable thanks to ernsteiswuerfel !
Comment 12 Sam James gentoo-dev Security 2020-08-30 22:49:29 UTC
ppc64 done

all arches done
Comment 13 Sam James gentoo-dev Security 2020-08-30 22:52:50 UTC
Please cleanup.
Comment 14 Larry the Git Cow gentoo-dev 2020-08-30 22:57:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9522aa465f097bca10a2e9ee5c3e2586d3fcd26e

commit 9522aa465f097bca10a2e9ee5c3e2586d3fcd26e
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-08-30 22:56:35 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-30 22:56:35 +0000

    dev-libs/nss: security cleanup
    
    Bug: https://bugs.gentoo.org/734986
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/nss/Manifest                           |   4 -
 dev-libs/nss/files/nss-3.47-gentoo-fixups.patch | 242 ----------------
 dev-libs/nss/nss-3.51.ebuild                    | 357 -----------------------
 dev-libs/nss/nss-3.52.1-r1.ebuild               | 361 ------------------------
 dev-libs/nss/nss-3.53.1.ebuild                  | 351 -----------------------
 dev-libs/nss/nss-3.54-r1.ebuild                 | 351 -----------------------
 6 files changed, 1666 deletions(-)
Comment 15 Thomas Deutschmann gentoo-dev Security 2020-08-30 22:58:22 UTC
Repository is clean, all done.