Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Feb 2015 12:59:57 +0100
From: Florent Daigniere <>
Subject: CVE request: RFC 4253 section 8 wooes


RFC 4253 section 8 describes how the DiffieHellman exchange is done in
SSH... It mandates a few sanity bound-checks (for both the values of
exponents and exponentials) that some implementations are not doing...

Can you please assign three CVEs for the following bugs?

MATTA-2015-002 PuTTY
will be fixed in the upcoming release (0.64 I think)
- The exponential is not checked for trivial values

MATTA-2015-001 Dropbox
fixed in:
- The exponential is not checked for all trivial values (it just does
what the RFC mandates, which is clearly not enough!)
- The exponent picked might be a trivial value (this is theoretical more
than anything else assuming the CSPRNG is working). It's a regression
from 0.49

Further details and a full advisory will be published at
when the patches are in a released build. Our current understanding is
that no third party can take advantage of those bugs unless both the
client and the server are vulnerable AND either side picks a weak
exponent. The likelihood of that happening in practice is almost nil and
the impact limited in any case.


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ