Bug 17669

Summary: nettle2.7 and nettle new security issues CVE-2015-880[3-5]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/674493/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: nettle2.7-2.7.1-6.mga5.src.rpm, nettle-3.0-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-02-03 15:25:03 CET 
CVEs have been assigned for some miscalculations during cryptographic operations that were fixed in nettle 3.2:
http://openwall.com/lists/oss-security/2016/02/03/1

I've updated nettle to 3.2 in Cauldron.

At least in Mageia 5, while we have nettle 3.0, nothing is actually using it.  Note that the library major changes from 5->6 in 3.2 vs. 3.0, so if/when we do update it, we should note that any applications that might be using 3.0 would need to be recompiled.

We also have nettle2.7 packaged, which is what everything that uses it is linked against.  I would guess that these bugs affect nettle2.7 as well.  If so, it will need to be fixed in Cauldron as well as Mageia 5.

The upstream commits to fix these issues are linked in the message above.

Reproducible: 

Steps to Reproduce:
David Walser 2016-02-03 20:02:46 CET

URL: (none) => http://lwn.net/Vulnerabilities/674493/

Comment 1 David Walser 2016-02-05 17:01:11 CET 
Fedora has issued an advisory for this on February 4:
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176807.html
Comment 2 David Walser 2016-02-05 19:23:07 CET 
nettle2.7 has been removed from Cauldron, as it is not used there.

Patched packages uploaded for Mageia 5.

Advisory:
========================

Updated nettle2.7 and nettle packages fix security vulnerabilities:

Two carry propagation bugs in elliptic curve scalar multiplications that
affect the NIST P-256 curve. The bugs are in the C code and affect multiple architectures (CVE-2015-8803, CVE-2015-8805).

A carry propagation bug in elliptic curve scalar multiplications that
affect the NIST P-384 curve. The bug is in the assembly code and only affects
the x86_64 architecture (CVE-2015-8804).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8805
http://openwall.com/lists/oss-security/2016/02/03/1
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176807.html
========================

Updated packages in core/updates_testing:
========================
nettle2.7-2.7.1-6.1.mga5
libnettle4-2.7.1-6.1.mga5
libhogweed2-2.7.1-6.1.mga5
libnettle2.7-devel-2.7.1-6.1.mga5
nettle-3.0-3.1.mga5
libnettle5-3.0-3.1.mga5
libhogweed3-3.0-3.1.mga5
libnettle-devel-3.0-3.1.mga5

from SRPMS:
nettle2.7-2.7.1-6.1.mga5.src.rpm
nettle-3.0-3.1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Summary: nettle new security issues CVE-2015-880[3-5] => nettle2.7 and nettle new security issues CVE-2015-880[3-5]
Source RPM: nettle-3.0-3.mga5.src.rpm => nettle2.7-2.7.1-6.mga5.src.rpm, nettle-3.0-3.mga5.src.rpm

Comment 3 Len Lawrence 2016-02-07 03:11:43 CET 
mga5  x86_64  Mate

Installed:
nettle-3.0-3.mga5
lib64hogweed3-3.0-3.mga5
lib64nettle5-3.0-3.mga5

$ urpmq --whatrequires lib64hogweed3
lib64hogweed3
lib64nettle-devel
nettle

Extracted from http://www.linuxfromscratch.org/blfs/view/svn/postlfs/nettle.html
nettle-hash         calculates a hash value using a specified algorithm.

nettle-lfib-stream  outputs a sequence of pseudorandom (non-cryptographic)
                    bytes, using Knuth's lagged fibonacci generator. The
                    stream is useful for testing, but should not be used to
                    generate cryptographic keys or anything else that needs
                    real randomness.

nettle-pbkdf2       password-based key derivation function that take as input
                    a password or passphrase and typically strengthen it and
                    protect against certain pre-computation attacks by using
                    salting and expensive computation.

pkcs1-conv          converts private and public RSA keys from PKCS #1 format
                    to sexp format.

sexp-conv           converts an s-expression to a different encoding.
 
$ locate nettle | grep bin
/usr/bin/nettle-hash
/usr/bin/nettle-lfib-stream
/usr/bin/nettle-pbkdf2
$ locate pkcs1 | grep bin
/usr/bin/pkcs1-conv
$ locate sexp-conv | grep bin
/usr/bin/sexp-conv

Ran a few tests before updating to see how the commands worked.

Testing nettle-hash using familiar algorithms:
[lcl@vega ~]$ nettle-hash -a md5 nettles
nettles: 61cd448d4a87840d 0a1ca521bf58abe0 md5
[lcl@vega ~]$ md5sum nettles
61cd448d4a87840d0a1ca521bf58abe0  nettles
[lcl@vega ~]$ nettle-hash -a sha1 nettles
nettles: fef2703dc089a852 fbc7d2b9bc31d64d 6ffd6ccd sha1
[lcl@vega ~]$ sha1sum nettles
fef2703dc089a852fbc7d2b9bc31d64d6ffd6ccd  nettles

nettle-lfib-stream with or without a seed generated a continuous stream of binary data until interrupted.

File rumpelstiltskin contains string "Rapunzel"
[lcl@vega ~]$ nettle-pbkdf2 778013 < rumpelstiltskin
d0cf299c8c917f97 ecd0f741086a3d35
[lcl@vega ~]$ nettle-pbkdf2 778013 < rumpelstiltskin
d0cf299c8c917f97 ecd0f741086a3d35
[lcl@vega ~]$ nettle-pbkdf2 7783 < rumpelstiltskin
4e59a4a23b3e91d9 7d57147a80e07e9e

Could not make anything of the pkcs1-conv and sexp-conv commands - lack of knowledge of s-expressions.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2016-02-07 03:32:03 CET 
Packages under test:
nettle-3.0-3.1.mga5.x86_64
lib64hogweed3-3.0-3.1.mga5.x86_64
lib64nettle5-3.0-3.1.mga5.x86_64

[lcl@vega ~]$ nettle-hash -a md5 nettles
nettles: 61cd448d4a87840d 0a1ca521bf58abe0 md5
[lcl@vega ~]$ nettle-hash -a sha1 nettles
nettles: fef2703dc089a852 fbc7d2b9bc31d64d 6ffd6ccd sha1

These values match the pre-update values.
As before, nettle-lfib-stream with or without a seed generated a continuous stream of binary data until interrupted.

[lcl@vega ~]$ nettle-pbkdf2 778013 < rumpelstiltskin
d0cf299c8c917f97 ecd0f741086a3d35
[lcl@vega ~]$ nettle-pbkdf2 7783 < rumpelstiltskin
4e59a4a23b3e91d9 7d57147a80e07e9e

No obvious differences in behaviour between the updated packages and the originals with regard to the commands tested.  Unless anyone objects to the missing s-expression tests I shall pass this.
Len Lawrence 2016-02-07 03:33:06 CET

Whiteboard: (none) => MGA5-64-OK

Comment 5 claire robinson 2016-02-07 09:58:59 CET 
Good work Len

Whiteboard: MGA5-64-OK => has_procedure MGA5-64-OK

Comment 6 Len Lawrence 2016-02-07 16:36:36 CET 
Tested this on mga5 in virtualbox  i586  Mate

Updated the nettle packages from Updates Testing and ran the same tests as on 64-bit real hardware using the same files and seeds where required.  All numerical results were identical.  Not sure if that is a good thing or a bad thing in the context of security but the underlying procedures work as expected. The fibonacci pseudorandom generator produced a binary data stream as before.

Validating this, so could someone from sysadmin please push it to Mageia Updates?
Len Lawrence 2016-02-07 16:36:59 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2016-02-07 16:37:13 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2016-02-09 17:10:49 CET 
Tested nettle-hash using nettle2.7 too.
nettle-pdkdf2 does not exist in nettle2.7.

$ urpmf nettle2.7 | grep bin
nettle2.7:/usr/bin/nettle-hash
nettle2.7:/usr/bin/nettle-lfib-stream
nettle2.7:/usr/bin/pkcs1-conv
nettle2.7:/usr/bin/sexp-conv

# urpmi nettle2.7
installing nettle2.7-2.7.1-6.mga5.x86_64.rpm from /var/cache/urpmi/rpms                                           
Preparing...                     #############
      1/1: nettle2.7             #############


Noted the update also brings in the libs.


# urpmi nettle2.7
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  lib64hogweed2                  2.7.1        6.1.mga5      x86_64  
  lib64nettle4                   2.7.1        6.1.mga5      x86_64  
  nettle2.7                      2.7.1        6.1.mga5      x86_64  
216B of disk space will be freed.
485KB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y
Comment 8 claire robinson 2016-02-09 17:15:23 CET 
Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 9 Mageia Robot 2016-02-09 20:06:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0061.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 Len Lawrence 2016-02-10 10:58:46 CET 
@Claire comment #7.  Thanks for taking on the 2.7 version.  I had package conflicts when I looked at it and abandoned it.
Comment 11 claire robinson 2016-02-10 12:14:00 CET 
That seems like a bug Len. Nettle & nettle2.7 contain the same binaries so should really conflict, but they currently don't.

Bug 17726 created.