Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 653434 (CVE-2018-0737) - <dev-libs/openssl-{1.0.2o-r1,1.1.0h-r1}: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737)
Summary: <dev-libs/openssl-{1.0.2o-r1,1.1.0h-r1}: RSA key generation cache timing vuln...
Status: RESOLVED FIXED
Alias: CVE-2018-0737
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-17 20:22 UTC by GLSAMaker/CVETool Bot
Modified: 2018-11-28 22:44 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/openssl-1.0.2o-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-04-17 20:22:32 UTC
CVE-2018-0737 (https://nvd.nist.gov/vuln/detail/CVE-2018-0737):
  The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
  a cache timing side channel attack. An attacker with sufficient access to
  mount cache timing attacks during the RSA key generation process could
  recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected
  1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
Comment 1 Larry the Git Cow gentoo-dev 2018-04-17 20:50:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30945a68d3d4c98433363ed73475b8233ac02118

commit 30945a68d3d4c98433363ed73475b8233ac02118
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-04-17 20:50:09 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-04-17 20:50:30 +0000

    dev-libs/openssl: Rev bump to add patch for CVE-2018-0737
    
    Bug: https://bugs.gentoo.org/653434
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 dev-libs/openssl/Manifest                          |   1 +
 .../files/openssl-1.1.0h-CVE-2018-0737.patch       |  31 +++
 dev-libs/openssl/openssl-1.0.2o-r1.ebuild          | 251 ++++++++++++++++++
 dev-libs/openssl/openssl-1.1.0h-r1.ebuild          | 284 +++++++++++++++++++++
 4 files changed, 567 insertions(+)}
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-11-28 22:44:41 UTC
This issue was resolved and addressed in
 GLSA 201811-21 at https://security.gentoo.org/glsa/201811-21
by GLSA coordinator Aaron Bauman (b-man).