Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
OK to upload fix for https://bugs.debian.org/813679 (CVE-2015-8803
CVE-2015-8804 CVE-2015-8805), as
suggested by (a member of) the security team? (Security-related bugs but
unlikely to be exploitable.)
--
Magnus Holmgren
Debian Developer
diff -Nru nettle-2.7.1/debian/changelog nettle-2.7.1/debian/changelog
--- nettle-2.7.1/debian/changelog 2015-01-11 20:27:22.0 +0100
+++ nettle-2.7.1/debian/changelog 2016-02-07 19:52:57.0 +0100
@@ -1,3 +1,9 @@
+nettle (2.7.1-5+deb8u1) stable; urgency=low
+
+ * Fix CVE-2015-8803, CVE-2015-8804, and CVE-2015-8805 (Closes: #813679).
+
+ -- Magnus Holmgren Sat, 06 Feb 2016 20:01:37 +0100
+
nettle (2.7.1-5) unstable; urgency=medium
* Add code to transition /usr/share/doc/nettle-dbg from directory to
diff -Nru nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch
nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch
--- nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch1970-01-01
01:00:00.0 +0100
+++ nettle-2.7.1/debian/patches/cve-2015-8803_8805.patch2016-02-07
19:40:25.0 +0100
@@ -0,0 +1,27 @@
+From: Niels Möller
+Origin: upstream,
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
+Subject: CVE-2015-8803 and CVE-2015-8805: Miscomputation bugs in secp-256r1
modulo functions.
+
+--- a/ecc-256.c
b/ecc-256.c
+@@ -108,7 +119,10 @@ ecc_256_modp (const struct ecc_curve *ec
+ u0 -= t;
+ t = (u1 < cy);
+ u1 -= cy;
+- u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
++
++ cy = cnd_add_n (t, rp + n - 4, ecc->p, 2);
++ u0 += cy;
++ u1 += (u0 < cy);
+ u1 -= (-t) & 0x;
+ }
+ rp[2] = u0;
+@@ -195,7 +209,7 @@ ecc_256_modq (const struct ecc_curve *ec
+
+ /* Conditional add of p */
+ u1 += t;
+- u2 += (t<<32) + (u0 < t);
++ u2 += (t<<32) + (u1 < t);
+
+ t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
+ u1 += t;
diff -Nru nettle-2.7.1/debian/patches/cve-2015-8804.patch
nettle-2.7.1/debian/patches/cve-2015-8804.patch
--- nettle-2.7.1/debian/patches/cve-2015-8804.patch 1970-01-01
01:00:00.0 +0100
+++ nettle-2.7.1/debian/patches/cve-2015-8804.patch 2016-02-06
19:50:51.0 +0100
@@ -0,0 +1,252 @@
+Origin: upstream,
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
+From: Niels Möller
+Subject: CVE-2015-8804: Carry folding bug in x86_64 ecc_384_modp.
+
+--- a/x86_64/ecc-384-modp.asm
b/x86_64/ecc-384-modp.asm
+@@ -20,7 +20,7 @@ C MA 02111-1301, USA.
+ .file "ecc-384-modp.asm"
+
+ define(, <%rsi>)
+-define(, <%rax>)
++define(, <%rax>)
+ define(, <%rbx>)
+ define(, <%rcx>)
+ define(, <%rdx>)
+@@ -35,8 +35,8 @@ define(, <%r13>)
+ define(, <%r14>)
+ define(, <%r15>)
+ define(, H5) C Overlap
+-define(, RP) C Overlap
+-define(, H4) C Overlap
++define(, RP) C Overlap
++
+
+ PROLOGUE(nettle_ecc_384_modp)
+ W64_ENTRY(2, 0)
+@@ -48,34 +48,38 @@ PROLOGUE(nettle_ecc_384_modp)
+ push%r14
+ push%r15
+
+- C First get top 2 limbs, which need folding twice
++ C First get top 2 limbs, which need folding twice.
++ C B^10 = B^6 + B^4 + 2^32 (B-1)B^4.
++ C We handle the terms as follow:
+ C
+- C H5 H4
+- C -H5
+- C --
+- C H0 D4
++ C B^6: Folded immediatly.
+ C
+- C Then shift right, (H1,H0,D4) <-- (H0,D4) << 32
+- C and add
++ C B^4: Delayed, added in in the next folding.
+ C
+- C H5 H4
+- C H1 H0
+- C --
+- C C2 H1 H0
+-
+- mov 80(RP), D4
+- mov 88(RP), H0
+- mov D4, H4
+- mov H0, H5
+- sub H0, D4
+- sbb $0, H0
+-
+- mov D4, T2
+- mov H0, H1
+- shl $32, H0
+- shr $32, T2
++ C 2^32(B-1) B^4: Low half limb delayed until the next
++ C folding. Top 1.5 limbs subtracted and shifter now, resulting
++ C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added
++ C in.
++
++ mov 80(RP), H4
++ mov 88(RP), H5
++ C Shift right 32 bits, into H1, H0
++ mov H4, H0
++ mov H5, H1
++ mov H5, D5
+ shr $32, H1
+- or T2, H0
++ shl $32, D5
++ shr $32, H0
++ or D5, H0
++
++ C H1 H0
++ C - H1 H0
++ C
++ C H1 H0 D5
++ mov H0, D5
++ neg D5
++ sbb H1, H0
++ sbb $0, H1
+
+ xor C2, C2
+ add H4, H0
+@@ -114,118 +118,95 @@ PROLOGUE(nettle_ecc_384_modp)
+ adc H3, T5
+ adc $0, C0
+
+- C H3 H2 H1 H0 0
+- C - H4 H3 H2 H1 H0
+- C ---
+- C H3 H2 H1