Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Nov 2018 11:34:22 +0200
From: Billy Brumley <>
Subject: Re: CVE-2018-5407: new side-channel vulnerability on
 SMT/Hyper-Threading architectures

> > If you are a package maintainer, and are putting together a patch set
> > for this, please reach out to me. My team can help test.
> >
> <snip>
> Could you please confirm the following commits are sufficient to fix CVE-2018-5407?

Some more technical advice below. Hope it helps!


# 1.0.1

That is EOL. Try your luck with porting the 1.0.2 solution.

Shameless self plug: read Section 2

for a related discussion about EOL issues and security in the context
of OpenSSL.

# 1.0.2

Wait until this gets merged into OpenSSL_1_0_2-stable :

# 1.1.0 up to and including 1.1.0h

So I went through the process to patch this myself:

Ofc I have no idea what 1.1.0 version you started with, or what
patches you're applying. So take this as more of a HOWTO build and
test your own patchset.

## CVE-2018-5407

git checkout OpenSSL_1_1_0h -b bbb_ecc_fix_110h
git cherry-pick aab7c770353b1dc4ba045938c8fb446dd1c4531e
git cherry-pick f06437c751d6f6ec7f4176518e2897f44dd58eb0
git cherry-pick 33588c930d39d67d1128794dc7c85bae71af24ad
git cherry-pick f916a735bcdce496cebc7653a8ad2e72b333405a
git cherry-pick b43ad53119c0ac2ecfa6e4356210ccda57e0d16b
git cherry-pick 2172133d0dc58256bf776da074c0d1944fef15cb
git cherry-pick cc39f9250957dfe6e9f1b62a4eca1863e8451483
git cherry-pick 7b3e775a6a78650bbd3e8e19a5aa12981880402b
git cherry-pick 5eee95a54de6854e60886c8e662a902184b12d04
git cherry-pick 875ba8b21ecc65ad9a6bdc66971e50461660fcbb
git checkout --theirs CHANGES
git add CHANGES
git cherry-pick --continue
git checkout OpenSSL_1_1_0h -- CHANGES
git add CHANGES
git commit -m "revert changelog diffs"
git rebase -i OpenSSL_1_1_0h

(I skipped 926b21117df939241f1cd63f2f9e3ab87819f0ed because it is not
related to CVE-2018-5407. See

For a lengthy discussion. I'm not familiar enough with the issue to
give advice if you need to pick it up or not.)

All of them cherry pick cleanly except for the last one, but it's only
a trivial conflict with the changelog.

I checked the scalar multiplication code paths in ecdsatest with gdb
(break ec_mult.c:423), and indeed they are early exiting to the new
function when signing.

A lot of new regression testing went into 1.1.1. Some of it was
backported 1.1.0:

So I fetched these KATs:

To run those tests, you also need to pick up this bug fix for
evp_test.c (this is for testing, not part of the CVE-2018-5407 fix) :

git cherry-pick e35e5941e0b2f7af1cd56f07ee8d4eaf2b445132

Then rebuilt, and ran

$ test/evp_test /path/to/evppkey_ecc.txt
484 tests completed with 0 errors, 0 skipped

All of those (positive and negative) tests pass; they are for ECC
keygen and ECDH. I checked the scalar multiplication code paths with
gdb (break ec_mult.c:423), and indeed they all early exit to the new

## CVE-2018-0735

Apply this small fix on top:

git cherry-pick 56fb454d281a023b3f950d969693553d3f3ceea1
git cherry-pick 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee
git rebase -i HEAD~2

Then ofc rerun all the regression testing ("make test", as well as the
custom EVP tests described above.)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.