Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658334 (CVE-2018-12435) - <dev-libs/botan-2.7.0: ECDSA cache sidechannel
Summary: <dev-libs/botan-2.7.0: ECDSA cache sidechannel
Status: RESOLVED FIXED
Alias: CVE-2018-12435
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/randombit/botan/co...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-17 21:15 UTC by Florian Schuhmacher
Modified: 2019-03-12 07:39 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-17 21:15:12 UTC 
Botan 2.5.0 through 2.6.0 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and ecdsa/ecdsa.cpp. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Thomas Bettler 2018-07-20 13:03:31 UTC 
solution proposed - see bug #661660
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2018-08-14 15:24:14 UTC 
Please stabilize =dev-libs/botan-2.7.0
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-16 00:39:46 UTC 
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-17 00:11:55 UTC 
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-18 22:50:56 UTC 
ppc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-21 19:43:19 UTC 
ppc64 stable
Comment 7 Larry the Git Cow gentoo-dev 2018-09-01 19:01:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1949d3c964706770f7353f9ac0fab632b5d2f28c

commit 1949d3c964706770f7353f9ac0fab632b5d2f28c
Author:     Alon Bar-Lev <alonbl@gentoo.org>
AuthorDate: 2018-09-01 18:20:35 +0000
Commit:     Alon Bar-Lev <alonbl@gentoo.org>
CommitDate: 2018-09-01 19:01:32 +0000

    dev-libs/botan: clenaup old
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=658334
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-libs/botan/Manifest           |  1 -
 dev-libs/botan/botan-2.6.0.ebuild | 92 ---------------------------------------
 2 files changed, 93 deletions(-)
Comment 8 Virgil Dupras (RETIRED) gentoo-dev 2018-10-11 15:15:53 UTC 
To be clear on the status of this bug: vulnerable versions (2.5.x) are clear from the tree.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-12 07:39:21 UTC 
All clear in tree
Arches and Maintainer(s), Thank you for your work.

Closing noglsa.