Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 579750 (CVE-2016-3995) - <dev-libs/crypto++-3.6.4: bogus protection from timing attacks
Summary: <dev-libs/crypto++-3.6.4: bogus protection from timing attacks
Status: RESOLVED FIXED
Alias: CVE-2016-3995
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 570416 611504
Blocks:
  Show dependency tree
 
Reported: 2016-04-12 14:47 UTC by Agostino Sarubbo
Modified: 2017-04-30 21:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-12 14:47:48 UTC 
From ${URL} :

A vulnerability was found in cryptopp library. A counter measure against timing attack was 
incorrectly implemented.

External references:

https://github.com/weidai11/cryptopp/issues/146

References and CVE assignment:

http://seclists.org/oss-sec/2016/q2/50


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2016-10-03 23:17:26 UTC 
3.6.4 is in tree, but significant build changes, we need time to stabilize.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 16:56:32 UTC 
v3.6.4 available in Gentoo repository since https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/crypto++?id=86f8b10361ee6fbbb5079703d88d23f009f14dca


@ Maintainer(s): Can we stabilize =dev-libs/crypto++-5.6.4-r4?
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2016-11-19 18:09:21 UTC 
dev-libs/crypto++-5.6.5 is a candidate for stabilization, however, upstream changed and has a little knowledge about the downstream process, it added some breakages and continue to do so, example bug#597994. I am waiting for next version that includes some remedy.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 19:20:00 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2017-04-30 19:34:50 UTC 
Already done :)
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 21:13:53 UTC 
Thank you, just clearing the whiteboard. 

GLSA Vote: No