658158 – (CVE-2018-12434) <dev-libs/libressl-{2.6.5, 2.7.4}: ECDSA cache sidechannel

Bug 658158 (CVE-2018-12434) - <dev-libs/libressl-{2.6.5, 2.7.4}: ECDSA cache sidechannel

Summary: <dev-libs/libressl-{2.6.5, 2.7.4}: ECDSA cache sidechannel

Status:	RESOLVED FIXED

Alias:	CVE-2018-12434

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://ftp.openbsd.org/pub/OpenBSD/L...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-06-15 06:01 UTC by Florian Schuhmacher
Modified:	2018-11-25 01:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-libs/libressl-2.6.5
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Schuhmacher 2018-06-15 06:01:08 UTC

LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Fix in 2.6.5, 2.7.4.

Gentoo Security Scout
Florian Schuhmacher

Comment 1 Larry the Git Cow gentoo-dev

2018-06-16 01:36:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=171f5dd87c70e26ed8577073158b0104ca9f20bc

commit 171f5dd87c70e26ed8577073158b0104ca9f20bc
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-06-16 01:35:51 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-06-16 01:35:51 +0000

    dev-libs/libressl: security bump
    
    Bug: https://bugs.gentoo.org/658158
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-libs/libressl/Manifest              |  2 ++
 dev-libs/libressl/libressl-2.6.5.ebuild | 55 +++++++++++++++++++++++++++++++++
 dev-libs/libressl/libressl-2.7.4.ebuild | 53 +++++++++++++++++++++++++++++++
 3 files changed, 110 insertions(+)

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-06-16 01:36:33 UTC

@arches, please stabilize

Comment 3 Larry the Git Cow gentoo-dev

2018-06-16 19:26:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c5890c7dc134821525804555c0ae32f2bda48e8

commit 9c5890c7dc134821525804555c0ae32f2bda48e8
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-06-16 19:23:07 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-16 19:26:28 +0000

    dev-libs/libressl: stable 2.6.5 for sparc
    
    Bug: https://bugs.gentoo.org/658158
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-libs/libressl/libressl-2.6.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 Larry the Git Cow gentoo-dev

2018-06-17 01:13:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a68457d8fc08342411862975fee6f6a66533a8f8

commit a68457d8fc08342411862975fee6f6a66533a8f8
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-06-17 01:13:24 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-06-17 01:13:24 +0000

    dev-libs/libressl: amd64 stable
    
    Bug: https://bugs.gentoo.org/658158
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-libs/libressl/libressl-2.6.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-06-17 23:31:12 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2018-07-07 10:46:34 UTC

arm stable

Comment 7 Mikle Kolyada (RETIRED) archtester

2018-07-09 23:26:03 UTC

s390 stable

Comment 8 Matt Turner gentoo-dev

2018-09-17 23:21:48 UTC

ppc/ppc64 stable. all arches stable