Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 11:33:28 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Jason Buberel <jbuberel@...gle.com>
Subject: Re: [security] Go security release v1.5.3

On Wed, Jan 13, 2016 at 09:06:57PM +0000, Jason Buberel wrote:
> A security-related issue has been reported in Go's math/big package. The
> issue was introduced in Go 1.5. We recommend that all users upgrade to Go
> 1.5.3, which fixes the issue. Go programs must be recompiled with Go 1.5.3
> in order to receive the fix.
> 
> The Go team would like to thank Nick Craig-Wood for identifying the issue.
> 
> This issue can affect RSA computations in crypto/rsa, which is used by
> crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA
> private key due to this issue. Other protocol implementations that create
> many RSA signatures could also be impacted in the same way.
> 
> Specifically, incorrect results in one part of the RSA Chinese Remainder
> computation can cause the result to be incorrect in such a way that it
> leaks one of the primes. While RSA blinding should prevent an attacker from
> crafting specific inputs that trigger the bug, on 32-bit systems the bug
> can be expected to occur at random around one in 2^26 times. Thus
> collecting around 64 million signatures (of known data) from an affected
> server should be enough to extract the private key used.
> 
> On 64-bit systems, the frequency of the bug is so low (less than one in
> 2^50) that it would be very difficult to exploit. Nonetheless, everyone is
> strongly encouraged to upgrade.
> 
> Go 1.6 will include include a change to double-check the RSA computation,
> which is a generic countermeasure to this class of bug.

A concern here is that this might increase side-channel leaks.  Related
discussion:

http://www.openwall.com/lists/oss-security/2014/07/10/3
http://www.openwall.com/lists/oss-security/2014/07/10/5

I guess you intend to be careful with that?

> The CVE issue descriptions and fixes are linked below. Downloads are
> available at http://golang.org/dl for all supported platforms.
> 
> CVE-2015-8618
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8618
> 
> CLs fixing the issue:
> 
> https://go-review.googlesource.com/#/c/17672/
> https://go-review.googlesource.com/#/c/18491/

"Gerrit requires a JavaScript enabled browser."
OK, launched another browser. ;-)

Alexander

P.S. My extra excuse to post this and to over-quote is DMARC, which has
likely prevented delivery of the original @google.com message to some
recipients.  I know I got to workaround it in list configuration soon.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ