Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553808 (CVE-2015-2141) - <dev-libs/crypto++-5.6.2-r2: private key disclosure via timing attack (CVE-2015-2141)
Summary: <dev-libs/crypto++-5.6.2-r2: private key disclosure via timing attack (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2015-2141
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://web.nvd.nist.gov/view/vuln/de...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-02 18:54 UTC by Sam James
Modified: 2015-11-09 21:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-02 18:54:31 UTC 
From URL:
----
The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack.
----
https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff
http://sourceforge.net/p/cryptopp/code/542/

Reproducible: Always
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2015-07-02 19:14:15 UTC 
added: crypto++-5.6.2-r2
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:07:16 UTC 
@Maintainers: is -r2 ready for stabilisation?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:07:29 UTC 
@Maintainers: is -r2 ready for stabilisation?
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2015-07-05 20:14:42 UTC 
(In reply to stanley - Security Padawan from comment #3)
> @Maintainers: is -r2 ready for stabilisation?

r2 differs from r1 only by the fix for this CVE.

feel free to stabilize.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-07 04:26:52 UTC 
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-10 06:58:58 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-10 06:59:26 UTC 
x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 18:54:01 UTC 
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:28 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-07-23 09:39:43 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Manuel Rüger (RETIRED) gentoo-dev 2015-08-27 23:59:06 UTC 
Vulnerable removed.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 21:48:39 UTC 
Vote: no.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 21:56:21 UTC 
GLSA Vote: No