Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Mar 2018 13:09:29 +0100
From: zugtprgfwprz@...rnkuller.de
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSL: bug in modular exponentiation

Hi Guido,

On 20.03.2018 22:34, Guido Vranken wrote:
> My bignum fuzzer (https://github.com/guidovranken/bignum-fuzzer)
> running on Google's oss-fuzz recently found a bug in affecting
> constant-time modular exponentiation.

Interesting -- could you confirm that the effect of this bug is a
miscalculation? Or is it breaking the constant-time assertion?

> OpenSSL does not treat this as a security vulnerability. This is a
> heads-up to developers who rely on the affected code so they can
> review the impact on their applications on a case-by-case basis.

Do you have a pointer as to where this was discussed? Do you consider it
a security vulnerability? Can you give advice to developers of how to
mitigate this kind of issue?

Is it regarded a WONTFIX by OpenSSL or is it going to be fixed (just not
treated as security-criticial)? If so, do you know the fix version?

Cheers and best regards,
Johannes

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ