Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 740108 (CVE-2020-16150) - <net-libs/mbedtls-{2.16.8,2.24.0}: Multiple vulnerabilities (CVE-2020-16150)
Summary: <net-libs/mbedtls-{2.16.8,2.24.0}: Multiple vulnerabilities (CVE-2020-16150)
Status: IN_PROGRESS
Alias: CVE-2020-16150
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on: 730752
Blocks:
  Show dependency tree
 
Reported: 2020-09-02 19:21 UTC by Sam James
Modified: 2020-11-01 23:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-09-02 19:21:29 UTC
* CVE-2020-16150 (Local side channel attack on classical CBC decryption in (D)TLS)

Description:
"An local attacker with access to enough information about the state of the cache (including, but not limited to, an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover portions of the plaintext of a (D)TLS record."

Fixed versions: "Affected users will want to upgrade to Mbed TLS 2.24.0, 2.16.8 or 2.7.17 depending on the branch they're currently using."

Advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1

* Local side channel attack on RSA and static Diffie-Hellman

Description:
"An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave such as SGX or the TrustZone secure world) can recover the private keys used in RSA or static (finite-field) Diffie-Hellman operations."

Fixed versions: "Affected users will want to upgrade to Mbed TLS 2.24.0, 2.16.8 or 2.7.17 depending on the branch they're currently using."

Advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
Comment 1 Sam James archtester gentoo-dev Security 2020-09-02 19:22:24 UTC
Please bump to 2.16.8, 2.24.0, thanks!
Comment 2 Anthony Basile gentoo-dev 2020-09-03 15:38:25 UTC
(In reply to Sam James from comment #1)
> Please bump to 2.16.8, 2.24.0, thanks!

Okay the bumps are in the tree.  I did preliminary testing and everything seems good to go.  If you want, go ahead and convert this into a stabilization bug.
Comment 3 John Helmert III (ajak) gentoo-dev Security 2020-09-03 23:03:26 UTC
Thanks! CC-ARCHES when ready.
Comment 4 Sam James archtester gentoo-dev Security 2020-09-04 18:38:27 UTC
arm64 done
Comment 5 Sam James archtester gentoo-dev Security 2020-09-04 18:39:33 UTC
arm done
Comment 6 Sam James archtester gentoo-dev Security 2020-09-04 18:41:34 UTC
ppc64 stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-09-05 16:18:04 UTC
x86 stable
Comment 8 Sergei Trofimovich gentoo-dev 2020-09-08 07:11:25 UTC
ppc stable
Comment 9 Sam James archtester gentoo-dev Security 2020-09-12 23:57:18 UTC
amd64 stable, please cleanup
Comment 10 John Helmert III (ajak) gentoo-dev Security 2020-10-30 02:20:16 UTC
Ping
Comment 11 Larry the Git Cow gentoo-dev 2020-10-31 12:07:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84

commit a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-10-30 15:29:24 +0000
Commit:     Anthony G. Basile <blueness@gentoo.org>
CommitDate: 2020-10-31 12:07:03 +0000

    net-libs/mbedtls: security cleanup
    
    Bug: https://bugs.gentoo.org/740108
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

 net-libs/mbedtls/Manifest                 |  2 -
 net-libs/mbedtls/mbedtls-2.16.7-r1.ebuild | 94 -------------------------------
 net-libs/mbedtls/mbedtls-2.23.0-r1.ebuild | 94 -------------------------------
 3 files changed, 190 deletions(-)
Comment 12 Anthony Basile gentoo-dev 2020-10-31 12:08:52 UTC
(In reply to Larry the Git Cow from comment #11)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> 
> commit a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> Author:     John Helmert III <jchelmert3@posteo.net>
> AuthorDate: 2020-10-30 15:29:24 +0000
> Commit:     Anthony G. Basile <blueness@gentoo.org>
> CommitDate: 2020-10-31 12:07:03 +0000
> 
>     net-libs/mbedtls: security cleanup
>     
>     Bug: https://bugs.gentoo.org/740108
>     Package-Manager: Portage-3.0.8, Repoman-3.0.2
>     Signed-off-by: John Helmert III <jchelmert3@posteo.net>
>     Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
> 
>  net-libs/mbedtls/Manifest                 |  2 -
>  net-libs/mbedtls/mbedtls-2.16.7-r1.ebuild | 94
> -------------------------------
>  net-libs/mbedtls/mbedtls-2.23.0-r1.ebuild | 94
> -------------------------------
>  3 files changed, 190 deletions(-)

Thanks for the reminder.
Comment 13 John Helmert III (ajak) gentoo-dev Security 2020-11-01 23:02:47 UTC
(In reply to Anthony Basile from comment #12)
> (In reply to Larry the Git Cow from comment #11)
> > The bug has been referenced in the following commit(s):
> > 
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> > 
> > commit a1bdf75cfef9f25bf8ee50237a5620c5a0ec0a84
> > Author:     John Helmert III <jchelmert3@posteo.net>
> > AuthorDate: 2020-10-30 15:29:24 +0000
> > Commit:     Anthony G. Basile <blueness@gentoo.org>
> > CommitDate: 2020-10-31 12:07:03 +0000
> > 
> >     net-libs/mbedtls: security cleanup
> >     
> >     Bug: https://bugs.gentoo.org/740108
> >     Package-Manager: Portage-3.0.8, Repoman-3.0.2
> >     Signed-off-by: John Helmert III <jchelmert3@posteo.net>
> >     Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
> > 
> >  net-libs/mbedtls/Manifest                 |  2 -
> >  net-libs/mbedtls/mbedtls-2.16.7-r1.ebuild | 94
> > -------------------------------
> >  net-libs/mbedtls/mbedtls-2.23.0-r1.ebuild | 94
> > -------------------------------
> >  3 files changed, 190 deletions(-)
> 
> Thanks for the reminder.

Thanks for merging!
Comment 14 NATTkA bot gentoo-dev 2020-11-01 23:04:52 UTC
Resetting sanity check; package list is empty or all packages are done.