Date: Sat, 30 Jul 2016 10:16:58 -0400 From: Hanno Böck <hanno@...eck.de> To: Huzaifa Sidhpurwala <huzaifas@...hat.com> Cc: oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org> Subject: Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks On Fri, 29 Jul 2016 14:19:38 +0530 Huzaifa Sidhpurwala <huzaifas@...hat.com> wrote: > The following whitepaper talks about libgcrypt's RSA code being > vulnerable to a cache timing attack, which the paper claims is fixed > in 1.6.3. > > It seems nettle is also vulnerable to this flaw. Which was confirmed > by upstream via: > https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html > > The above link also contains a proposed patch, will be committed soon. FYI, this patch had some unintended side effects: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html They replaced GMP's mpz_powm with mpz_powm_sec, however the latter is not equivalent. It requires odd moduli and will crash with a floating point exception if the modulus is even. This is actually a bug class that may turn out to be interesting, I recently experienced something very similar (but more severe) in matrixssl (writeup on that will follow as soon as I find time for it). Bignum libraries have certain conditions on how their input is formed and don't behave well if the input isn't what they expect. These conditions usually make sense in the average use case, but not neccessarily if an attacker can control some of the input. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ