FS#45498 : [crypto++] CVE-2015-2141: private key recovery

FS#45498 - [crypto++] CVE-2015-2141: private key recovery

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 29 June 2015, 09:00 GMT
Last edited by Allan McRae (Allan) - Friday, 24 July 2015, 11:58 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Giovanni Scafora (giovanni)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Remi Gacogne (rgacogne) (2016-01-16) Levente Polyak (anthraxx) (2015-06-29)
Private	No

Details

Hello,

A security issue have been found [1][2] in crypto++ <= 5.6.2, allowing the recovery of the private key when using Rabin-Williams signatures, due to a bad interaction with the blinding value used to mask private key operations. A fix [3] for this issue has been committed, but it's not clear whether a new release is to be expected. The patch [4] corresponding to the fix applies cleanly on 5.6.2, so I believe we should backport it until a new release is available.

[1]: https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2015-June/015585.html
[2]: https://eprint.iacr.org/2015/368.pdf
[3]: https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff
[4]: https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff.patch

This task depends upon

Closed by Allan McRae (Allan)
Friday, 24 July 2015, 11:58 GMT
Reason for closing: Fixed
Additional comments about closing: crypto++-5.6.2-3

Comment by Levente Polyak (anthraxx) - Wednesday, 01 July 2015, 12:24 GMT

would be awesome if we could handle this issue,
thanks in advise

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#47786 - [crypto++] CVE-2015-2141: remote stealing of private keys~~

Arch Linux

FS#45498 - [crypto++] CVE-2015-2141: private key recovery

Details

Loading...