| Summary: | libcryptopp new security issue CVE-2019-14318 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, geiger.david68210, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb, zombie_ryushu |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libcryptopp-7.0.0-1.mga7.src.rpm | CVE: | CVE-2019-14318 |
| Status comment: | |||
|
Description
David Walser
2019-11-26 20:08:18 CET
David Walser
2019-11-26 20:08:27 CET
Whiteboard:
(none) =>
MGA7TOO The package has no registered maintainer, so assigning the bug globally. Assignee:
bugsquad =>
pkg-bugs Fixed in libcryptopp-8.2.0-1.mga8 (with a patch) by David in Cauldron. Version:
Cauldron =>
7 Suggested advisory: ======================== The updated packages fix a security vulnerability: Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information. (CVE-2019-14318) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14318 https://lists.opensuse.org/opensuse-updates/2019-08/msg00155.html ======================== Updated packages in core/updates_testing: ======================== lib(64)cryptopp7-7.0.0-1.1.mga7 lib(64)cryptopp-devel-7.0.0-1.1.mga7 libcryptopp-progs-7.0.0-1.1.mga7 from SRPMS: libcryptopp-7.0.0-1.1.mga7.src.rpm CC:
(none) =>
nicolas.salguero The following 13 packages are going to be installed: - binutils-2.32-14.mga7.i586 - gcc-8.3.1-0.20191101.1.mga7.i586 - gcc-cpp-8.3.1-0.20191101.1.mga7.i586 - glibc-devel-2.29-19.mga7.i586 - isl-0.18-1.mga7.i586 - kernel-userspace-headers-5.3.13-2.mga7.i586 - libcryptopp-devel-7.0.0-1.1.mga7.i586 - libcryptopp-progs-7.0.0-1.1.mga7.i586 - libcryptopp7-7.0.0-1.1.mga7.i586 - libisl15-0.18-1.mga7.i586 - libmpc3-1.1.0-3.mga7.i586 - libstdc++-devel-8.3.1-0.20191101.1.mga7.i586 - libxcrypt-devel-4.4.6-1.mga7.i586 ---- Ran test as noted by Lewis in prior validations $ cryptest v > tmp/cryptest_v $ less tmp/cryptest_v In this case seems it did fail: ... SHA validation suite running... Exception caught: Can not open file TestVectors/sha.txt for reading Whiteboard:
(none) =>
feedback In bug 21029 comment 6, Lewis said: """ As normal, the self-tests end with: CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading """ so I think that error is "normal". Whiteboard:
feedback =>
(none) MGA7-64 Plasma on Lenovo B50 No installation issues. I checked the contents of the packages installed and found that the file reported above are located in /usr/share/cryptopp, so I did $ cd /usr/share/cryptopp/ $ cryptest v > ~/Documenten/cryptest_v And consulting the output file, all tests completed and passed. OK for me. Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 3. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-12-06 12:38:41 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0362.html Status:
ASSIGNED =>
RESOLVED |