--- Begin Message ---
Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal
X-Debbugs-Cc: ametz...@bebt.de, car...@debian.org
Hello Stable Release Managers,
Here is a debdiff for a proposed upload to address CVE-2016-6489 ("RSA code is
vulnerable to cache sharing related attacks") in jessie, which the Security
Team thinks should be done but which doesn't warrant a DSA.
I added a Breaks: libgnutls-deb0-28 (<< 3.3.8-6+deb8u4) to libhogweed2 to
ensure that libgnutls is upgraded first in order to prevent crashes that could
in theory occur if nettle_rsa_private_key_prepare() isn't called to check that
the private key is valid (see https://bugs.debian.org/840191). The latest
Nettle library includes extra safety checks to work with incorrect callers but
those can't be backported so easily.
--
Magnus Holmgren holmg...@debian.org
Debian Developer
diff -Nru nettle-2.7.1/debian/changelog nettle-2.7.1/debian/changelog
--- nettle-2.7.1/debian/changelog 2016-02-07 19:52:57.000000000 +0100
+++ nettle-2.7.1/debian/changelog 2016-11-05 17:37:13.000000000 +0100
@@ -1,8 +1,17 @@
+nettle (2.7.1-5+deb8u2) stable; urgency=medium
+
+ * [SECURITY] cve-2016-6489.patch: Protect against potential side-channel
+ attacks against exponentiation operations as described in
+ CVE-2016-6489 "RSA code is vulnerable to cache sharing related
+ attacks" (Closes: #832983).
+
+ -- Magnus Holmgren <holmg...@debian.org> Sat, 05 Nov 2016 17:37:13 +0100
+
nettle (2.7.1-5+deb8u1) stable; urgency=low
* Fix CVE-2015-8803, CVE-2015-8804, and CVE-2015-8805 (Closes: #813679).
- -- Magnus Holmgren <holmg...@debian.org> Sat, 06 Feb 2016 20:01:37 +0100
+ -- Magnus Holmgren <holmg...@debian.org> Tue, 09 Feb 2016 20:57:42 +0100
nettle (2.7.1-5) unstable; urgency=medium
diff -Nru nettle-2.7.1/debian/control nettle-2.7.1/debian/control
--- nettle-2.7.1/debian/control 2015-01-11 20:27:22.000000000 +0100
+++ nettle-2.7.1/debian/control 2016-11-05 17:36:28.000000000 +0100
@@ -36,6 +36,7 @@
Multi-Arch: same
Pre-Depends: ${misc:Pre-Depends}
Depends: ${shlibs:Depends}, ${misc:Depends}
+Breaks: libgnutls-deb0-28 (<< 3.3.8-6+deb8u4)
Description: low level cryptographic library (public-key cryptos)
Nettle is a cryptographic library that is designed to fit easily in more or
less any context: In crypto toolkits for object-oriented languages (C++,
diff -Nru nettle-2.7.1/debian/patches/cve-2016-6489.patch nettle-2.7.1/debian/patches/cve-2016-6489.patch
--- nettle-2.7.1/debian/patches/cve-2016-6489.patch 1970-01-01 01:00:00.000000000 +0100
+++ nettle-2.7.1/debian/patches/cve-2016-6489.patch 2016-08-04 20:05:32.000000000 +0200
@@ -0,0 +1,87 @@
+Description: Protect against side-channel attacks against exponentiation operations
+ See https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html
+Bug-Debian: https://bugs.debian.org/832983
+
+--- a/dsa-sign.c
++++ b/dsa-sign.c
+@@ -47,6 +47,11 @@ _dsa_sign(const struct dsa_public_key *p
+ mpz_t h;
+ mpz_t tmp;
+
++ /* Check that p is odd, so that invalid keys don't result in a crash
++ inside mpz_powm_sec. */
++ if (mpz_even_p (pub->p))
++ return 0;
++
+ /* Require precise match of bitsize of q and hash size. The general
+ description of DSA in FIPS186-3 allows both larger and smaller q;
+ in the the latter case, the hash must be truncated to the right
+@@ -63,7 +68,7 @@ _dsa_sign(const struct dsa_public_key *p
+ mpz_add_ui(k, k, 1);
+
+ /* Compute r = (g^k (mod p)) (mod q) */
+- mpz_powm(tmp, pub->g, k, pub->p);
++ mpz_powm_sec(tmp, pub->g, k, pub->p);
+ mpz_fdiv_r(signature->r, tmp, pub->q);
+
+ /* Compute hash */
+--- a/rsa-blind.c
++++ b/rsa-blind.c
+@@ -53,7 +53,7 @@ _rsa_blind (const struct rsa_public_key
+ while (!mpz_invert (ri, r, pub->n));
+
+ /* c = c*(r^e) mod n */
+- mpz_powm(r, r, pub->e, pub->n);
++ mpz_powm_sec(r, r, pub->e, pub->n);
+ mpz_mul(c, c, r);
+ mpz_fdiv_r(c, c, pub->n);
+
+--- a/rsa-sign.c
++++ b/rsa-sign.c
+@@ -88,11 +88,11 @@ rsa_compute_root(const struct rsa_privat
+
+ /* Compute xq = m^d % q = (m%q)^b % q */
+ mpz_fdiv_r(xq, m, key->q);
+- mpz_powm(xq, xq, key->b, key->q);
++ mpz_powm_sec(xq, xq, key->b, key->q);
+
+ /* Compute xp = m^d % p = (m%p)^a % p */
+ mpz_fdiv_r(xp, m, key->p);
+- mpz_powm(xp, xp, key->a, key->p);
++ mpz_powm_sec(xp, xp, key->a, key->p);
+
+ /* Set xp' = (xp - xq) c % p. */
+ mpz_sub(xp, xp, xq);
+--- a/rsa.c
++++ b/rsa.c
+@@ -56,7 +56,13 @@ unsigned
+ _rsa_check_size(mpz_t n)
+ {
+ /* Round upwards */
+- unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;
++ unsigned size;
++
++ /* Even moduli are invalid, and not supported by mpz_powm_sec. */
++ if (mpz_even_p (n))
++ return 0;
++
++ size = (mpz_sizeinbase(n, 2) + 7) / 8;
+
+ if (size < RSA_MINIMUM_N_OCTETS)
+ return 0;
+--- a/testsuite/rsa-test.c
++++ b/testsuite/rsa-test.c
+@@ -57,6 +57,13 @@ test_main(void)
+
+ test_rsa_sha512(&pub, &key, expected);
+
++ /* Test detection of invalid keys with even modulo */
++ mpz_clrbit (pub.n, 0);
++ ASSERT (!rsa_public_key_prepare (&pub));
++
++ mpz_clrbit (key.p, 0);
++ ASSERT (!rsa_private_key_prepare (&key));
++
+ /* 777-bit key, generated by
+ *
+ * lsh-keygen -a rsa -l 777 -f advanced-hex
diff -Nru nettle-2.7.1/debian/patches/series nettle-2.7.1/debian/patches/series
--- nettle-2.7.1/debian/patches/series 2016-02-06 19:26:59.000000000 +0100
+++ nettle-2.7.1/debian/patches/series 2016-10-30 22:15:09.000000000 +0100
@@ -1,3 +1,4 @@
fPIC.patch
cve-2015-8803_8805.patch
cve-2015-8804.patch
+cve-2016-6489.patch
signature.asc
Description: This is a digitally signed message part.
--- End Message ---