GNU bug report logs - #31831
CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: security; dated Thu, 14 Jun 2018 19:24:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at 31831 <at> debbugs.gnu.org:


Received: (at 31831) by debbugs.gnu.org; 18 Jun 2018 16:36:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 18 12:36:00 2018
Received: from localhost ([127.0.0.1]:55253 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fUx8K-0001Tx-AZ
	for submit <at> debbugs.gnu.org; Mon, 18 Jun 2018 12:36:00 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:59147)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1fUx8I-0001Tp-MC
 for 31831 <at> debbugs.gnu.org; Mon, 18 Jun 2018 12:35:58 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 8C7042122D;
 Mon, 18 Jun 2018 12:35:58 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Mon, 18 Jun 2018 12:35:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=d3aSRpoc98RFrFDD25IGDSnB4yjsq6bQnNsDygnRkbk=; b=DaAkf
 QnMf4yCMvhJ7TOtaN4j5oM7+Pulfi8l+5wRFuTmrVf605vl76mP1U+6IUOzzUNFr
 dbbb4pl4ptpxM6/OSbOWLWxJGz8SOtWwTIpxrTbdfFlz3LTbYlhJHU8pBFSAi2Fo
 4fyL1e5Vw3+MjrrkRfOtDJTt4i+KIXHhevo+DU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; bh=d3aSRpoc98RFrFDD25IGDSnB4yjsq
 6bQnNsDygnRkbk=; b=IHARJ7JkDR/3kyOo/f5jXhfE1+zijbymYB8WuvtSfhgV0
 GkKe49O8Tau0fYC7ZPA/8UM2Ye3Nq6ldVRfHAiYpd9IwB13iRfdY9D/mZZvreWva
 e921t5uDehTutMx8W+GR1e34hBnb4ouok+Cj0/Rot0bfT1hEWRzwRjrweRgdh3Ks
 uILKzSPLKiMVQcoDdDVMtbxCh0tpNY4nC/DICKbXrgzi30na9euqYtPS2EdSC0f8
 7GQBdK2BHGf6YFj19D3u2fqmFkFVlVNe0DpT1CxDq4/gDs1UUJPzCA/x6FzPcJZ1
 Byf/haOwiqCHs5PpBPr7gT7CLgbASXEEN93oU21wg==
X-ME-Proxy: <xmx:bt8nW7_R-l4zm_GT1f4fOdGWU-4ylxoRSTRT_KAWojRbFTpK-Tk1Zg>
 <xmx:bt8nW63qdJrWOuVczknCKY9o5ekhRREJ0I-QoeeXvmo5wCixtISpow>
 <xmx:bt8nW2frW1B-DxyoejBKQe4L2dlbPh4zb5R46cWt3sY7msVaYMi5ng>
 <xmx:bt8nW8BDuDDtcBK8NepgBFFoFblgQpsRobOlKqgWFInNLjIERZTLug>
 <xmx:bt8nW-2GMHuXzfrFhPYeNEnLwW0RTi3HdpWNZRDYovgCMNkPbE3vcA>
 <xmx:bt8nW508nS7zYOunXAKPw2hz5GWDQI01ZhXHlwZXz7NRmTwsvjSXqA>
X-ME-Sender: <xms:bt8nW4LNMjAGNg0_7uvTAljpX4oV_uh9a2c89c-ddulTr2C4BneSZw>
Received: from localhost (unknown [172.58.225.64])
 by mail.messagingengine.com (Postfix) with ESMTPA id D7F9BE4329
 for <31831 <at> debbugs.gnu.org>; Mon, 18 Jun 2018 12:35:57 -0400 (EDT)
Date: Mon, 18 Jun 2018 12:35:56 -0400
From: Leo Famulari <leo@HIDDEN>
To: 31831 <at> debbugs.gnu.org
Subject: Re: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto
 Libraries
Message-ID: <20180618163556.GA10371@HIDDEN>
References: <20180614195049.GB4039@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline
In-Reply-To: <20180614195049.GB4039@HIDDEN>
User-Agent: Mutt/1.10.0 (2018-05-17)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 31831
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

Patched pushed for both OpenSSL branches, closing bugs 31833 and 31834.

--T4sUOijqQbZv57TR
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsn32wACgkQJkb6MLrK
fwhcThAA2e5oy9Sy5FD+p/UFqXe09qD0q6El+lVN0ckWDF9dVwNsndTBIAAQJy4u
/ezp98z85jTeQwsjnVT/9cNLpeLbjJr0hPMXtX9i9fwzW2X8sv8nNKCzfg9a96os
rX72D6zpgtB4Gnr8htAmwuDAKyqlK34tBVbabw7A1gC1Bn3tu5xKP1o+VRwnCtDX
MA/BvDFhqSFvyKxMMY0JkD0aRKRL0yoS+PR8wicMtpCvKxphUWzsGY2gFPI6Jzbl
iWXSZyryQb9DwmLDi8HPYNRBB0x63gEVJVOhhNE2x5mWLKdDYN/V5Nui8abTtpTh
0s6bXkbGbXXNPNmCqjb4zpsx/voH4L4uz1Knl6p/AJ0QbiBUcrwMq9kVC4/Y35By
9RQd/yKSyDdzeAwxVsivYhF10eEUEF4UfpN7OZcUL61UVRcwyEAJwHbgsU1MWBow
apsKzth6uVO0RHH90gAzfbkbch3xLYaYvzXl5e8XD2mqMIVP/JJoNXnaMHok+35N
E2jAGxewz03ft4yj1ANKExJpfL2X/4XDhwiYTDfroeiN2NlUOVQlbJKYE1sjP8iW
6d4PBGL6JYdG3pNrWMk51VVUdB+NjlRqCIL7aI1H+Q9ILKuLZhwu5JHYBGiP23ai
vlau2e3zhJ8pik/THq7JV0x9yNnB3yR0pjkwGdlOBqimawcFtTU=
=00bL
-----END PGP SIGNATURE-----

--T4sUOijqQbZv57TR--




Information forwarded to bug-guix@HIDDEN:
bug#31831; Package guix. Full text available.

Message received at 31831 <at> debbugs.gnu.org:


Received: (at 31831) by debbugs.gnu.org; 14 Jun 2018 20:45:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 14 16:45:45 2018
Received: from localhost ([127.0.0.1]:48565 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fTZ7o-0003Zm-V1
	for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 16:45:45 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:53893)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1fTZ7n-0003Ze-2W
 for 31831 <at> debbugs.gnu.org; Thu, 14 Jun 2018 16:45:43 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 93A8D21C55;
 Thu, 14 Jun 2018 16:45:42 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Thu, 14 Jun 2018 16:45:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=J5p/dlL9JByRPcDBWjG/8+3exjK9jrOHbrTwp0MR3Ak=; b=peqm2
 BzNIyojlsu/nvQyNNWikw4iReUGD8IhvrX91XThTae/1Ewp6nPYpc2iAI+27LcJX
 y8e6x8ouRr0HsMpTwHMAuJqE1gRvjMPXdYTtSUsZEsA8cwrHw0v7tUBrs1MjW9qM
 GCJ160kPbQJS1XnBnhSH9pzppdS/De9/Fqlu+k=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; bh=J5p/dlL9JByRPcDBWjG/8+3exjK9j
 rOHbrTwp0MR3Ak=; b=QkfA+zJisJkTaiaStg7fMpcigJmoh7XpJct2iK5WHht+7
 kTEN3geRxA8Aqk/wZFSN8vpoDXEkAiLSG9wi3Vn8uX21BCjd9WsGWEvbbw1WJ5G5
 ME2Uy6EDva4EQspWIZCNezpEYO7w75uKV4bsnchxxoQFt56QEkNXlKWT4kaqXgjr
 8+h3Ur+elv/v+50mP//NA7rH35ofknio8efueaDB0Ez7FCkTscI3dWIgATxsjsup
 R5KEUAEHTtUgmBsSiY/ecx+xYK67204XmaIdY/g128+XjMXtJoUaNIZtmlC+WMDn
 sGQj613LYzp4sxtBAcZY//Bc+1YyopGaWaJcDRvoQ==
X-ME-Proxy: <xmx:9tMiW49XMGfKPCfbUmdZVsz338FZC0CsFdCUQw2ri2D-Poa39H_z7g>
 <xmx:9tMiWyFZLnp7Z6sAFcK90-94rcTLuNPxynEHUDlkM4CN1yVKYuGrWg>
 <xmx:9tMiW3RY8g1HMnGcRhIRkG8j2YU9cfTJCzb_rdVO3Sz-nr6yjl2Tww>
 <xmx:9tMiWwuYjtLMtWTMrWWzEO6DmISQaF3Y2MbbwmS7XSS2tXF9nbxryw>
 <xmx:9tMiW0CoGo3pshbU63dAEg_gUk2f-Q5vqbXNVFmRQDCUNvVEXqJ2eQ>
 <xmx:9tMiWx4VSBb0n5qp7ohLE21Iwnyd69s6cmoHgIQ_dhvXRLhROW433A>
X-ME-Sender: <xms:9tMiW5BUzhDWQdyvDIVQ768rLuXPY_oHTL4PX_C98TaP9wbdIikp5w>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 44BFD10262
 for <31831 <at> debbugs.gnu.org>; Thu, 14 Jun 2018 16:45:42 -0400 (EDT)
Date: Thu, 14 Jun 2018 16:45:41 -0400
From: Leo Famulari <leo@HIDDEN>
To: 31831 <at> debbugs.gnu.org
Subject: Re: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto
 Libraries
Message-ID: <20180614204541.GA26976@HIDDEN>
References: <20180614195049.GB4039@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ"
Content-Disposition: inline
In-Reply-To: <20180614195049.GB4039@HIDDEN>
User-Agent: Mutt/1.10.0 (2018-05-17)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 31831
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

I sent patches for both branches of OpenSSL:

version 1.0.2:

<https://bugs.gnu.org/31834>

version 1.1.0:

<https://bugs.gnu.org/31833>

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsi0/EACgkQJkb6MLrK
fwieQQ/9F9/HwOc2YPtHUb5caJ9i3k0Cm5GWph6qtfOKqw+11flRZfyN7Afn1uu/
+xZHbIuA/NN/h/n+GX/u12U2TnCNQ3K7lIYiWHAXppstSQsbsWV1GcO/zpnRgZcq
EJt3NnI20vuR9jCT/bNfig3WAL5twtbkZIdDor1jz8lQfedNGDXBKzW8tY6qpeat
P0UPafr8l52Svsxl/zPFCi41mFhOVVYNFXzgsWWxEsdRgwcDRn7mZU3egQlT/l+U
FVmDx7qR1lMaECd1Oiy8CoY8IHFx0vq5rRcd7LVuHmkGq69Y/00oE/ktxAKbgBf/
j+uo9OrnAFK5mrL4XYNNA0yPlQjFltz67MJlWL5DiOc7ARnMPz4E+qcJKmOAkVw9
wj+gkSKFsnldlI4oNZMt+klNLQ5OJMG9ibALG9RYrZFSYIqg/FKrDxb7p1blE0cI
4iKY3k6Kh+C+1D8XTls3c8B5OjOt0Wtsix3/B7AE0DFHUTTulhN0DQX/RkT+dDfS
x1eyo7Tap4tr2FLnvS4mmhWaC61z7Jyd0g5/MHPk8MgS5uU3SXPEXktwj880jOEe
POXybGBdnOzHtptKSzVMS/B4ZqolJfpkIz7JNQ2FRGAdXl4XK4RcxBW3qGS8Jc0C
MS1No/DA20tpJA8XTMn65wl70iRPzMLI8c971jdYDNYc06pGkeY=
=L3hc
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--




Information forwarded to bug-guix@HIDDEN:
bug#31831; Package guix. Full text available.

Message received at 31831 <at> debbugs.gnu.org:


Received: (at 31831) by debbugs.gnu.org; 14 Jun 2018 20:44:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 14 16:44:16 2018
Received: from localhost ([127.0.0.1]:48551 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fTZ6N-0003WP-Ua
	for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 16:44:16 -0400
Received: from mail-it0-f51.google.com ([209.85.214.51]:39755)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <boskovits@HIDDEN>) id 1fTZ6M-0003WC-Ez
 for 31831 <at> debbugs.gnu.org; Thu, 14 Jun 2018 16:44:14 -0400
Received: by mail-it0-f51.google.com with SMTP id p185-v6so121914itp.4
 for <31831 <at> debbugs.gnu.org>; Thu, 14 Jun 2018 13:44:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=bQNTApQoh2D4m2Tz6927FYXqw1v095NqfsZpVPSbSe8=;
 b=vRXWhmB4avxrrB8t6aoA2kHWDo+CavrGn9UNAd2HVGr6P/8moV76+XRpoXc+uCeTwl
 erjyu8oU0rFVDt7Y8NM3riAgZ6uwG7W6vfWWR3DgIa5NANeXPRccW4l5PPrhKyiw/jKL
 8J5xBpf910jDWLVzBN+LPIGoI7nXzdmURHxyGNw/LTbA8vL487sqqBcnH9wcLIYHTtAW
 82455tFKvjIC6zqesb3TLmlvNgCfAwlUArp/iSVOvxqVwpImWh55AwFLwWMKLr+At+nx
 bzxSRU0IHrdxfeKBs9NAkvbxB3pIux8vDMFbapvAiH+klLLPDYSIxwcY7Scp/vYMbrAv
 8M1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=bQNTApQoh2D4m2Tz6927FYXqw1v095NqfsZpVPSbSe8=;
 b=ci7+Mc4JUv8F3gmn5UMUyYmcsHObDrk5CMPRVcZveDcMFyGbi6mlCN5qzAumGswUP3
 kx8v4GYaZkT6echQLxWJqTMZG/T73Nsc3ru1AKzJv07RFtwp4xt4xDfRKosj3unlCasg
 0DEFfNFH4w94gcfY1yWS5dwff/IftyeOb/ap+JJkkB7q4Z9QaBjs9cgoMK3MHMON5Lxt
 aICxuwglLq/qS8CBUdalRvbT+iCMP/LmyAez86kAgR7ytystQGMThiClL7Qcjc95EWyl
 g7LW1P8O/6CCI/QZDl+nzAwRHkWUHM6zQqDtOoFFhhBQ2+fXuM2X3Blsok0D4wi2CTAU
 YoAw==
X-Gm-Message-State: APt69E0V1ikUGyG4YJiemDfzcct/gK6ZR/k2h3ZvlQjZKSvmT5c86C0M
 QgPD1ipUwitfO3pjuowPg5LgvrZea195WlXVYQ==
X-Google-Smtp-Source: ADUXVKLbhP91Xf6NKZOpIkHqcipWXsZ3oV1SIipIp8e9MOTtQu42m60L0mqMMEK3BExU8izhEAn2ytxGyO/FxYIqkf8=
X-Received: by 2002:a24:be85:: with SMTP id
 i127-v6mr3583928itf.131.1529009048948; 
 Thu, 14 Jun 2018 13:44:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a84d:0:0:0:0:0 with HTTP; Thu, 14 Jun 2018 13:44:08
 -0700 (PDT)
In-Reply-To: <CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@HIDDEN>
References: <20180614192211.GA21522@HIDDEN>
 <20180614195049.GB4039@HIDDEN>
 <CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@HIDDEN>
From: =?UTF-8?Q?G=C3=A1bor_Boskovits?= <boskovits@HIDDEN>
Date: Thu, 14 Jun 2018 22:44:08 +0200
Message-ID: <CAE4v=pi8R0YTgc_UMJsC=+0A=NMWdr1cNTZUp0BuD6R_MPNf8g@HIDDEN>
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
To: Leo Famulari <leo@HIDDEN>
Content-Type: multipart/alternative; boundary="00000000000038951f056ea02981"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 31831
Cc: 31831 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--00000000000038951f056ea02981
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

2018-06-14 21:53 GMT+02:00 G=C3=A1bor Boskovits <boskovits@HIDDEN>:

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@HIDDEN>:
>
>> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>>
>> I'll try OpenSSL next.
>>
>
> I'll try libressl.
>
Here it is: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D31832
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D31832>

--00000000000038951f056ea02981
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">2018=
-06-14 21:53 GMT+02:00 G=C3=A1bor Boskovits <span dir=3D"ltr">&lt;<a href=
=3D"mailto:boskovits@HIDDEN" target=3D"_blank">boskovits@HIDDEN</a>&g=
t;</span>:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D=
"ltr"><span class=3D"gmail-"><div class=3D"gmail_extra"><div class=3D"gmail=
_quote">2018-06-14 21:50 GMT+02:00 Leo Famulari <span dir=3D"ltr">&lt;<a hr=
ef=3D"mailto:leo@HIDDEN" target=3D"_blank">leo@HIDDEN</a>&gt;=
</span>:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I see that Ef=
raim already updated libgcrypt. Awesome, thanks Efraim!<br>
<br>
I&#39;ll try OpenSSL next.<br>
</blockquote></div><br></div></span><div class=3D"gmail_extra">I&#39;ll try=
 libressl.</div></div>
</blockquote></div>Here it is:<a href=3D"https://debbugs.gnu.org/cgi/bugrep=
ort.cgi?bug=3D31832">=C2=A0https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D=
31832</a></div></div>

--00000000000038951f056ea02981--




Information forwarded to bug-guix@HIDDEN:
bug#31831; Package guix. Full text available.

Message received at 31831 <at> debbugs.gnu.org:


Received: (at 31831) by debbugs.gnu.org; 14 Jun 2018 20:06:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 14 16:06:12 2018
Received: from localhost ([127.0.0.1]:48492 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fTYVY-0002aZ-0e
	for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 16:06:12 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52995)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1fTYVW-0002aS-IY
 for 31831 <at> debbugs.gnu.org; Thu, 14 Jun 2018 16:06:11 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 3EFB021A29;
 Thu, 14 Jun 2018 16:06:10 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Thu, 14 Jun 2018 16:06:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=cc:content-type:date:from:in-reply-to:message-id:mime-version
 :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 mesmtp; bh=dUJhKpNqm2KW5niqYlsQOLpcuHstaPF8WqrfMgzC1l4=; b=sEPwo
 eM1dQMQP7aOapYBBXUabW1SrgCdfXGoEnadp+cL/Am+hLIaG8w6Y6qHnpF5PHaIa
 IE8o6emi4iZ0JvWQnio5Nk0VD86jvNwkGMVS5yhUaQEr+dmqGUZfrUCippKaXb5B
 6PZhuS/vEw9UwNcstbOjq/CIiBqcOBolql2RZg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; bh=dUJhKpNqm2KW5niqYlsQOLpcuHsta
 PF8WqrfMgzC1l4=; b=T/KMyAA1EbDlE8urKIT3ImOpKYt2E0RT6FfONs8iXOVVJ
 RdBTPstODErSIll+uUiEmWRCEHQDYUcBtPUDl9W2H7/6lC35qiuChCKWkyd1zVR5
 u6p7kGrCxYO2wMTjvKsxyZKSXGSQW590PeYva1amIgCJGiuDbnQSdL/LcuGGCjPK
 oyNv854bkALTchUzo5PkHJbSFq8y/hjVSnGKtFLLQA2ppIRQhv7ydYyUTd7Vs5y/
 0Hy9h+x37TdHnNybBCWxz24y8XYNCY1lvNd6q0CCtGwFF0094ftC9OCxgKhfYNHx
 +DGJTDcj/T1mGTqOxqx1i+pCG9uLWtjNukerS8/Gw==
X-ME-Proxy: <xmx:ssoiW7cuqonmFx6HGlD-JLl2tb9qios0DOFFcCgNiOFPDS0sUdPtGg>
 <xmx:ssoiW42efUAk7Syhx_DPEMRx-MSfQN8pfuCIvAzizlBgaJrLtQBx_Q>
 <xmx:ssoiW74-RhLo0F2_vgL2kYaCO58X5SRI8CyJlW87b_jvmtZcc5NHNA>
 <xmx:ssoiW3dYlg8yCg_-Wg4nfXWYFzAyaGO9zy8CU6zD4LVlvZ2lWwjNqQ>
 <xmx:ssoiW_MpNmaOib2cSprGMbQ68Y-GiCnO8RZ_5kjJuqoEgcskaAvyhw>
 <xmx:ssoiW4c8kKb1oE256kj6k9fJeBcHn33gTOLQg9ZUlcLruAg0x0NoQg>
X-ME-Sender: <xms:ssoiW9a9VABFWn7eGK3iBSnSsjrqTWUqEHtZY7meaIzBarBrbXc0rw>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id E338510266;
 Thu, 14 Jun 2018 16:06:09 -0400 (EDT)
Date: Thu, 14 Jun 2018 16:06:08 -0400
From: Leo Famulari <leo@HIDDEN>
To: =?iso-8859-1?Q?G=E1bor?= Boskovits <boskovits@HIDDEN>
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Message-ID: <20180614200608.GA8617@HIDDEN>
References: <20180614192211.GA21522@HIDDEN>
 <20180614195049.GB4039@HIDDEN>
 <CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp"
Content-Disposition: inline
In-Reply-To: <CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@HIDDEN>
User-Agent: Mutt/1.10.0 (2018-05-17)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 31831
Cc: 31831 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@HIDDEN>:
> > I'll try OpenSSL next.

They committed a fix but haven't released an update yet:

https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09

There is also an unrelated security advisory for a DoS bug from 2 days
ago:

https://www.openssl.org/news/secadv/20180612.txt

I'll try grafting these patches.

--LQksG6bCIzRHxTLp
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsiyrAACgkQJkb6MLrK
fwiL6xAAhUiFkoZifXJnnhd8JWO0UJnD856DvXoIWeXsVfVY2IOJH28UQ/LznHsz
PrkUi2sJ0X/CsRBLd7GCjxc/lhVVRCBUfz1pQ4Pzg62lqvmaNnZtTLSn8c4kYOGP
Yl+/wP7PC4KBRupYecLPjElKFjNG02xbhILrUc7/hKNKNxMBkuezQniPgwjiC9jq
apKYFfRaJ+yHEmH6wl1TygowdUsZHFKR9UsJ+tc9B55m1AzA5R/QPBI+kIkTZDKv
Lk02msrIGKaheZcfON4PKhLJz8MMT944qA9E24PRiOlwSuOEnCKwkW9RV0hv1hBA
RKZTJEFvjInT+nSUV7ZjlM3hrrx14xGaMM8tsK6RCf6ULO30XCkjEnnGkn/pHhzM
b51LwSWFNVtJa/W5e343G8p/06GTNYWOFofaAxPOOyxi03s7GQLTr9/W+e/Klo0s
sc/f5CRmSUU9KYwUt6V1FB4Pr6u2yPXMrcfzKI8l1i0z3iNEwT0+JW+4BG7N/w2Q
yqX6jevzGpAMDwzHLXDC3gV/Z0hWBQUEu6noUEO2gNamt87GFMjwdSGOnOmouoM2
PE2l/7AXjAUI5hWIkeNg3+MaC15crjCGLMwhL2b+H7onJnNnLfOh5l1GMme8qd3r
aIjG08bZacT7UOtKwZpxTumoqEETtjXA2OBzcX7n+qH6utMpnUI=
=lK6a
-----END PGP SIGNATURE-----

--LQksG6bCIzRHxTLp--




Information forwarded to bug-guix@HIDDEN:
bug#31831; Package guix. Full text available.

Message received at 31831 <at> debbugs.gnu.org:


Received: (at 31831) by debbugs.gnu.org; 14 Jun 2018 19:53:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 14 15:53:38 2018
Received: from localhost ([127.0.0.1]:48481 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fTYJO-0002GK-Dh
	for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:53:38 -0400
Received: from mail-it0-f44.google.com ([209.85.214.44]:55118)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <boskovits@HIDDEN>) id 1fTYJM-0002G8-5x
 for 31831 <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:53:36 -0400
Received: by mail-it0-f44.google.com with SMTP id 76-v6so9866111itx.4
 for <31831 <at> debbugs.gnu.org>; Thu, 14 Jun 2018 12:53:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=uDoihNon5Ljlr0YugF4J687qw4DjoDYbKNyhF4YWa38=;
 b=GNmZQzY0z2BJu/7c/BN/Dy/4Xb1bGnBMujPMyMiGgzGUCf4/Dj/ZpXRFBsbAz/+XH+
 w7ErFKqIZVXoS57iCUMYBZUMnurCCkoJJfl1+Zb9bKYso9Nar2kghc49BiyMVP/2hzd6
 sX9+op9QQGik7BSInpNN8EstJCfSmh3eQwPZkaomoHzLQvQ8GTeFgiDqODWtWoT9u/Sq
 9/KP2l29KlVfZ9n8qsSQCcHu34Iyl//Pu8Ee/urWc2jCLFUoBLfWXleswogC5r+aoYl6
 ZYuAZEdvECEXea6cXXyl/lisR3lSFp4A0CiwaUvgyzUEvQPMs1xRQ9LTvfcNgoFw4qCa
 J/Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=uDoihNon5Ljlr0YugF4J687qw4DjoDYbKNyhF4YWa38=;
 b=ZPAvq+wj06BTwfKEqq4WkqSQU44fK3JU4yi2Mna5RicRW/grQ9kKkbgFxfhBtF6D9i
 sRfUmLs1D5RecTUNVD0N1o1/ePJNehYqZbu/8MlH1tvPr46PHWhhcN4auNRC6mBENHgL
 Ge0LM2bOGYh2UvK6GFwNePdh8j/MsQkfWLF2ezY0NOMb0BN5wdlu7O2nkR+O0e6qS4Fb
 BkRfaO/fswe9DIFO3TaItw9FKVHHwMX/lWBILjW9Vs34ZxRFK5BYpM/I1rBThRGrZ8QT
 LFfM3EjWeZCPXHF4QWdrubaLGIwL5/N3VmxZTqcuasTRZNHV8kdHYHNjx2VGl7wJOa8n
 oyOQ==
X-Gm-Message-State: APt69E2Tt2V8UYuFLjPnjNK3cJqn6WfSu8ilfiqWnnY5QZ81XonuGXVK
 t7jBZwDbhxS5vkEBqQUsYflQT80onb+TcBGgj1G/
X-Google-Smtp-Source: ADUXVKL78Dpss97b33vpBYI+W2aJ67Z5HnFmaKazezFxQsZqs8zHLkUcJ3qytHTYMw88UBMscewDP/abLaq8CRUhim4=
X-Received: by 2002:a24:50d1:: with SMTP id
 m200-v6mr3472181itb.11.1529006010576; 
 Thu, 14 Jun 2018 12:53:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a84d:0:0:0:0:0 with HTTP; Thu, 14 Jun 2018 12:53:30
 -0700 (PDT)
In-Reply-To: <20180614195049.GB4039@HIDDEN>
References: <20180614192211.GA21522@HIDDEN>
 <20180614195049.GB4039@HIDDEN>
From: =?UTF-8?Q?G=C3=A1bor_Boskovits?= <boskovits@HIDDEN>
Date: Thu, 14 Jun 2018 21:53:30 +0200
Message-ID: <CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@HIDDEN>
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
To: Leo Famulari <leo@HIDDEN>
Content-Type: multipart/alternative; boundary="0000000000001eb64d056e9f74e9"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 31831
Cc: 31831 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--0000000000001eb64d056e9f74e9
Content-Type: text/plain; charset="UTF-8"

2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@HIDDEN>:

> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>
> I'll try OpenSSL next.
>

I'll try libressl.

--0000000000001eb64d056e9f74e9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">2018=
-06-14 21:50 GMT+02:00 Leo Famulari <span dir=3D"ltr">&lt;<a href=3D"mailto=
:leo@HIDDEN" target=3D"_blank">leo@HIDDEN</a>&gt;</span>:<br>=
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">I see that Efraim already updated libgcrypt.=
 Awesome, thanks Efraim!<br>
<br>
I&#39;ll try OpenSSL next.<br>
</blockquote></div><br></div><div class=3D"gmail_extra">I&#39;ll try libres=
sl.</div></div>

--0000000000001eb64d056e9f74e9--




Information forwarded to bug-guix@HIDDEN:
bug#31831; Package guix. Full text available.

Message received at 31831 <at> debbugs.gnu.org:


Received: (at 31831) by debbugs.gnu.org; 14 Jun 2018 19:50:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 14 15:50:52 2018
Received: from localhost ([127.0.0.1]:48474 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fTYGi-0002Bs-Mk
	for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:50:52 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:56573)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1fTYGh-0002Bl-01
 for 31831 <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:50:51 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id AE8EC21C4F;
 Thu, 14 Jun 2018 15:50:50 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Thu, 14 Jun 2018 15:50:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=zfBKph5LHkMuAT
 KnpxgqnLUDVD8EIm6csHqNzKzrTbc=; b=KLjFdV2uM8AFHPHWBvUb1ScBwSVuM1
 zv+3MHtNvSFKpduZNbyrQW3n46BQkECW3OCjdiRAw+C2bK51RFSNWSGb4uX5fOsC
 jxpTU/ua/hCAIa5FgRI6SbLzCgqfBE7pG5aZgjYfJvHTjoNDp1o663TnTH2c+lWe
 S7im7nAJEm5lg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm3; bh=zfBKph5LHkMuATKnpxgqnLUDVD8EIm6csHqNzKzrTbc=; b=e3ByQ0rR
 pRZGll65qQZGK1M8ygy5GkDclUUIB84R9946F5+A2fKyP/jETzmzoYdfN98w178P
 TIyLcZPeq8Np0mclTa8i3OQO1FYEmenLn+CfPBN0EQYq6bVv9aMO4vFxhi7ICelN
 HOMQa5lLIkaIkshI2RNuzEvJGDKH1NCefCtIolFqLkIdmEuirgMheqRw/M9CLQzQ
 QPLLe+qWVJUpsdRjailIEwohW+53AfNFGkQ+Wjwkx9GMdgc4PrUqSShu7rJuEsda
 MgTb9jycFlgZ4taK5UNtkJW9VWx663z7s6Np/AqdR3gRdFjjiP537nYfJ+WydDDN
 4RF+vGjTP0fyvg==
X-ME-Proxy: <xmx:GsciWxG7g_IvUN-Pz4iK79HH3Hzr8_A1IK1nUvTqRUG2N48BE1LQVg>
 <xmx:GsciW6rXa2tDMgCIny-cN43vYWBv6E4pHPqMXkLuRUMxUq2VhiNelA>
 <xmx:GsciWyRC-rixDaSyK5w3TDuy3K30QRD9uZD5d8NKJkG8bU_-wUI_mg>
 <xmx:GsciW_N4_HzrnqzRvcmZrfstcRZsi9QJsiYc6A1JBpWclkNK3Uel7w>
 <xmx:GsciW9PZq3qLGXwEbSHRNfSIlM8h41O77oR_kABdu6Q1DawK6P82kQ>
 <xmx:GsciW3vYnJayE44oX1ux2OotymFsphq-31C3wzGpJPxbNWSZujy9Vw>
X-ME-Sender: <xms:GsciW1SJ7pLbIfKmu1SzvCJQPGq9vNJF2EGz-3PIHr8O1sT8owTAqg>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 4DFBFE4919
 for <31831 <at> debbugs.gnu.org>; Thu, 14 Jun 2018 15:50:50 -0400 (EDT)
Date: Thu, 14 Jun 2018 15:50:49 -0400
From: Leo Famulari <leo@HIDDEN>
To: 31831 <at> debbugs.gnu.org
Subject: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries
Message-ID: <20180614195049.GB4039@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
User-Agent: Mutt/1.10.0 (2018-05-17)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 31831
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!

I'll try OpenSSL next.

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsixxkACgkQJkb6MLrK
fwieThAAzabMGGFp6vWiDopa26rnClaeMuWJXgas6ozEnUz406XTLvmQlMcO3rq0
TZSBe93u1T6e6PWFu6EhhoxD1HLjWgSddemTBvUTNbOD1X7NiOAsPoyfgwu23ZUx
+hn/HG6zlRvxnDy0V2AKQPUmLOb1143uyPdAFG58eBMa8UuIb7q4EYK4CqXNMZOP
w9I1ea5nbEcx+cpZ7G40v1BZ2kLe/T9NAfs9U5doyU0NTJz7bOGnGxwvlQKce9Vh
sblaQyb2cJc5zN2UCFfRUaPG2KGfpcLKXUNVM0RIbvEav456VyEK5VxaTa/NKDcn
K7Ef7JZzUOTU1OTQ0q3N3TVNS+ZiazbFQ5z8WfLkGORoUvqamlV2zT78mgra5LSF
j39dOVd5gOp4jwxp8YtePD3zghG9BH+SI0+CciC7Gsmd0tbPQSREjwBrbAyf4JKD
5Mfe6vtf2ugL5S28rgDbLj4R4xxJ24g9OFMSq59qeLJPAfv0T6Ig+hfCALf3F3v4
8oc+j/0dmK2RNOiFSx7yfVRhTSx26oxeL0X0oHdrozlLykfseKM01/uwwtllTv3M
9576u5kP22bkRS6/t8WR9DOg7DSPw8YudecBk94YLP+vW3WfD81q8b5y6q9IFIUF
v02N6cIIxk6aK2C0GLv3C7gpZU/dzx58a4u4H2Z2jqSZKHgrdNE=
=+auf
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--




Information forwarded to bug-guix@HIDDEN:
bug#31831; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 14 Jun 2018 19:23:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 14 15:23:53 2018
Received: from localhost ([127.0.0.1]:48445 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1fTXqb-0001Uv-3Y
	for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:23:53 -0400
Received: from eggs.gnu.org ([208.118.235.92]:39998)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1fTXqZ-0001Ui-3y
 for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:23:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fTXqA-0007ia-Ou
 for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:23:45 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:46327)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1fTXqA-0007iH-GB
 for submit <at> debbugs.gnu.org; Thu, 14 Jun 2018 15:23:26 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58221)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fTXpO-0007gE-OD
 for bug-guix@HIDDEN; Thu, 14 Jun 2018 15:23:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1fTXp0-0006kK-Hr
 for bug-guix@HIDDEN; Thu, 14 Jun 2018 15:22:37 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43731)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1fTXp0-0006iT-1m
 for bug-guix@HIDDEN; Thu, 14 Jun 2018 15:22:14 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 10C7221398;
 Thu, 14 Jun 2018 15:22:13 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Thu, 14 Jun 2018 15:22:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=k0f0koaGOP0rRa
 X6wbOb/86j9HRpAtLxJRaSQRI12sI=; b=IPrqwGgEqL13uxZHS5g5ADGqHoO+NF
 /iiIP3J/raeNAaDNBcsmNQcct5pBtlq3wFqEB180xjdulrAEgaLI6uV9kMbcAoDa
 bSR4fZs0uRLDQP3iyvl7VMCtN6LawE3qI3MEFdo6Y5KIbwgRoVExTK3dUWDtG4T4
 ITktBtEJ34B0Q=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm3; bh=k0f0koaGOP0rRaX6wbOb/86j9HRpAtLxJRaSQRI12sI=; b=kNxYFj/S
 6qpFqvveXKXkwyMVD6sxtzMXfA47rZH6uVjY0BfDz8DlrZ6Q+osem4KA5yQ8YmsT
 40HXui0d4jKDAkgFw15zxNuu3aoeLYHETf/OWf1bMUnJ9qCsrhujeVcwtONEffLf
 YYfQ1QZryuVYfIj4yQkKZsD7EuoVZK73QxysDGx2LXFGa4nnYzN7YTxud2POKNjh
 ELqv+XDPocQ3eZaGdOrL9iX/m2JCCCeerEnJmNQqfvBahR576N0QAfIJjDyPuHjH
 0hNrctCtClXFvI5p8IgPRv3RaxD2RfhGCgQCc2U2df1nOAkruxi53r5a0XsKm10W
 BMfr6e8nXzu+ZQ==
X-ME-Proxy: <xmx:ZMAiWyp-udUUvk7EacXaOvs-yY9nxGdCKShrUd3q2znxuEE7Hhm-rg>
 <xmx:ZMAiWz0ohdtKDAN5S3FCgEf-T8AdEq1NCoFx6uKbg-IQrrS5zpgQ3Q>
 <xmx:ZMAiWzeOHNw60M3WP73RA6fZvBeY3cvZPqjb5oXMVW9LLqmdJWv42Q>
 <xmx:ZMAiWw5OV4iw5SI9eXSFBwJhHKMD-tES4PUfwDGXPpZGxnyoKL-3Aw>
 <xmx:ZMAiW_-2Boqa8krf_4_LEV4wWu_rM88XRT8ZyfBNAONC5Av6r3kU_w>
 <xmx:ZcAiWyl3vBOFFDUDv-szwcG3YxgD2LI66JitPFwLRwnL4uqmpsQEaw>
X-ME-Sender: <xms:ZMAiWwHJtBxTbAO9pZlKTwzoGulohzAb-O-z_01GVGPfioJUqEHhwQ>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 9CA0E1025C
 for <bug-guix@HIDDEN>; Thu, 14 Jun 2018 15:22:12 -0400 (EDT)
Date: Thu, 14 Jun 2018 15:22:11 -0400
From: Leo Famulari <leo@HIDDEN>
To: bug-guix@HIDDEN
Subject: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries
Message-ID: <20180614192211.GA21522@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy"
Content-Disposition: inline
User-Agent: Mutt/1.10.0 (2018-05-17)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.1 (-----)


--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Recently a new side-channel key extraction technique was published as
CVE-2018-0495, and it affects a lot of the cryptographic libraries we
package:

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/?style=Cyber+Security

An excerpt from that advisory:

------
We analyzed the source code of several open source cryptographic
libraries to see if they contain the vulnerable code pattern in the code
for ECDSA, DSA, or both. This list is accurate to the best of our
knowledge, but it is not exhaustive. Only the first group was affected
by this finding; the other three groups are not thought to be
vulnerable.

Contains vulnerable pattern: CryptLib (Both), LibreSSL (Both), Mozilla
NSS (Both), Botan (ECDSA), OpenSSL (ECDSA), WolfCrypt (ECDSA), Libgcrypt
(ECDSA), LibTomCrypt (ECDSA), LibSunEC (ECDSA), MatrixSSL (ECDSA),
BoringSSL (DSA)

Non-constant math, but different pattern: BouncyCastle, Crypto++, Golang
crypto/tls, C#/Mono, mbedTLS, Trezor Crypto, Nettle (DSA)

Constant time-math: Nettle (ECDSA), BearSSL, Libsecp256k1

Does not implement either: NaCl
------

Note that libtomcrypt is bundled in the Dropbear SSH implementation.

I'm going to test the libgcrypt update now.

I'd like for other Guix hackers to "claim" an affected package in this
thread, and then investigate and test the fixes. Please make new debbugs
tickets on guix-patches for each bug-fix patch you propose, and send the
links to those tickets here.

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsiwGMACgkQJkb6MLrK
fwgrLBAA5ip/y3YmzlBCH4+BBgI1k/vC62as7GvuB7mLKe58wSP0SAz+ueRz3DEC
MrRWN64trNSv5Ei8mAvwFmyNHyEd0KF7vagwPFfZKu+iH2jmOObbJmgPNfO5KyuK
rJux+vYBo1u9tcfrkEcyeWvKcwtaVrPNpsc9kD7w9tA8X4sPh0jYq+FJ+izT/poY
Ed2I+TLbGH5LKz0OX/6evRzybgW0vhhhrxexP2nfSlmS9xG4UPlUbbZTtzP2N8AH
XJI+syV7v3/WWBrseUH39I1kOw0+f6n4fhZHCUHYQ2JKj+QCpebQGuUAcPcnbEIc
YkykTNr6Ne2mHjVJNJ4HYdZG3jO/73ltkCvThERsxnY38AaqHbAJ5QCQWNPyjkgS
MAbDMauqY3veCprUMl6qJhIrHss2MBGHKTwzUJjcqDGlsY1+B+pcvSFOfSKwLTqs
CpU498lJ/HxmTFTa+K1X/+yzK0B1PwSMk1fiYnfbQCdx9IlUr4n0yUa5FmW61E8O
gc85KY14GFnq/NoRBJt7RIGm4g6KD1yAn3kqkAd2lEMAY3Vc9dtK78S5qfE4NacI
nZ8wGEyF2MwdpbIxRqhXkOzHY7VfEk9ybUjceEw/217SQFamJpx1TpH0Sk49xcIG
CG5K2sz1xSSQETPL4YIlmute8mqbLgl6HYCo3AQeCeLsDoeP2oc=
=qwNO
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--




Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#31831; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 27 Jun 2018 21:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.