Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#45498 - [crypto++] CVE-2015-2141: private key recovery

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 29 June 2015, 09:00 GMT
Last edited by Allan McRae (Allan) - Friday, 24 July 2015, 11:58 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Giovanni Scafora (giovanni)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Hello,

A security issue have been found [1][2] in crypto++ <= 5.6.2, allowing the recovery of the private key when using Rabin-Williams signatures, due to a bad interaction with the blinding value used to mask private key operations. A fix [3] for this issue has been committed, but it's not clear whether a new release is to be expected. The patch [4] corresponding to the fix applies cleanly on 5.6.2, so I believe we should backport it until a new release is available.

[1]: https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2015-June/015585.html
[2]: https://eprint.iacr.org/2015/368.pdf
[3]: https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff
[4]: https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff.patch
This task depends upon

Closed by  Allan McRae (Allan)
Friday, 24 July 2015, 11:58 GMT
Reason for closing:  Fixed
Additional comments about closing:  crypto++-5.6.2-3
Comment by Levente Polyak (anthraxx) - Wednesday, 01 July 2015, 12:24 GMT
would be awesome if we could handle this issue,
thanks in advise

Loading...