Bug 16426

Summary: libcryptopp new security issue CVE-2015-2141
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/649711/
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK
Source RPM: libcryptopp-5.6.2-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-20 20:30:38 CEST 
Debian has issued an advisory on June 29:
https://www.debian.org/security/2015/dsa-3296

I missed this earlier because their package name is libcrypto++.

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

This library is used by amule, kodi, and synergy.

Advisory:
========================

Updated libcryptopp packages fix security vulnerability:

Evgeny Sidorov discovered that libcryptopp did not properly implement blinding
to mask private key operations for the Rabin-Williams digital signature
algorithm. This could allow remote attackers to mount a timing attack and
retrieve the user's private key (CVE-2015-2141).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2141
https://www.debian.org/security/2015/dsa-3296
========================

Updated packages in core/updates_testing:
========================
libcryptopp6-5.6.2-2.1.mga4
libcryptopp-devel-5.6.2-2.1.mga4
libcryptopp-progs-5.6.2-2.1.mga4
libcryptopp6-5.6.2-4.1.mga5
libcryptopp-devel-5.6.2-4.1.mga5
libcryptopp-progs-5.6.2-4.1.mga5

from SRPMS:
libcryptopp-5.6.2-2.1.mga4.src.rpm
libcryptopp-5.6.2-4.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-20 20:30:47 CEST

Whiteboard: (none) => MGA4TOO

Dave Hodgins 2015-07-28 16:32:31 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

Comment 1 Herman Viaene 2015-08-03 15:37:21 CEST 
MGA4-32 on Acer D620 Xfce.
No installation issues.
urpmq --whatrequires libcryptopp6 shows amongst others synergy.
set up this PC as synergy client and connected to a server on the LAN
at CLI
> strace -o syn synergy
could move the mouse from the server into the screen of the client PC
and
$ grep libcrypt syn
open("/lib/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3

CC: (none) => herman.viaene
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK

Comment 2 claire robinson 2015-08-03 16:24:20 CEST 
Well done Herman!
Comment 3 Herman Viaene 2015-08-19 15:16:09 CEST 
MGA5-64 on HP Probook 6555b KDE
No installation issues.
Repeated same test as per Comment 1 above: works OK.

Whiteboard: MGA4TOO advisory MGA4-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK

Comment 4 Samuel Verschelde 2015-08-21 11:10:43 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-08-21 20:56:08 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0317.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED