oss-security - Re: CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 9 Nov 2018 18:41:23 +0200
From: Billy Brumley <bbrumley@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-5407: new side-channel vulnerability on
 SMT/Hyper-Threading architectures

> Could you please confirm the following commits are sufficient to fix CVE-2018-5407?
>
>
> Elliptic curve scalar multiplication with timing attack defenses (CVE-2018-5407)
> https://git.openssl.org/?p=openssl.git;a=commit;h=aab7c770353b1dc4ba045938c8fb446dd1c4531e
>
> Address code style comments
> https://git.openssl.org/?p=openssl.git;a=commit;h=f06437c751d6f6ec7f4176518e2897f44dd58eb0
>
> ladder description: why it works
> https://git.openssl.org/?p=openssl.git;a=commit;h=33588c930d39d67d1128794dc7c85bae71af24ad
>
> Pass through
> https://git.openssl.org/?p=openssl.git;a=commit;h=f916a735bcdce496cebc7653a8ad2e72b333405a
>
> Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
> https://git.openssl.org/?p=openssl.git;a=commit;h=b43ad53119c0ac2ecfa6e4356210ccda57e0d16b
>
> Remove superfluous NULL checks. Add Andy's BN_FLG comment.
> https://git.openssl.org/?p=openssl.git;a=commit;h=2172133d0dc58256bf776da074c0d1944fef15cb

It's a good start! But it's more than that. But it's Friday night so
it'll have to wait until Monday.

BBB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.