| Summary: | opencryptoki new security issue in handling EC keys | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, herman.viaene, marja11, nicolas.salguero, pkg-bugs, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | opencryptoki-3.15.1-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-08-04 20:02:51 CEST
David Walser
2021-08-04 20:03:10 CEST
Assignee:
bugsquad =>
geiger.david68210 Fedora has issued an advisory for this on September 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLP3UNIVGYENSFGVADMQ2IYP4A3TDYJC/ CC'ing all packagers collectively, because daviddavid hasn't been around since three months ago. Any packager should feel free to take this bug. CC:
(none) =>
marja11, pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: It was discovered that openCryptoki incorrectly handled certain EC keys. An attacker could possibly use this issue to cause a invalid curve attack. References: https://ubuntu.com/security/notices/USN-5031-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLP3UNIVGYENSFGVADMQ2IYP4A3TDYJC/ ======================== Updated packages in core/updates_testing: ======================== opencryptoki-3.15.1-1.1.mga8 opencryptoki-swtok-3.15.1-1.1.mga8 opencryptoki-tpmtok-3.15.1-1.1.mga8 opencryptoki-icsftok-3.15.1-1.1.mga8 lib(64)opencryptoki0-3.15.1-1.1.mga8 lib(64)opencryptoki-devel-3.15.1-1.1.mga8 from SRPM: opencryptoki-3.15.1-1.1.mga8.src.rpm Status:
NEW =>
ASSIGNED
Nicolas Salguero
2021-09-10 09:30:04 CEST
Source RPM:
opencryptoki-3.16.0-1.mga9.src.rpm =>
opencryptoki-3.15.1-1.mga8.src.rpm MGA8-64 Plasma on Lenovo B50
No installation issues.
# p11sak -h
Usage: p11sak COMMAND [ARGS] [OPTIONS]
Commands:
generate-key Generate a key
list-key List keys in the repository
remove-key Delete keys in the repository
Options:
-h, --help Show this help
Did different tries with list-key or generate-key, but my lack of knowledge in this field does not allow to do anything useful.CC:
(none) =>
herman.viaene The following 6 packages are going to be installed: - lib64opencryptoki-devel-3.15.1-1.1.mga8.x86_64 - lib64opencryptoki0-3.15.1-1.1.mga8.x86_64 - opencryptoki-3.15.1-1.1.mga8.x86_64 - opencryptoki-icsftok-3.15.1-1.1.mga8.x86_64 - opencryptoki-swtok-3.15.1-1.1.mga8.x86_64 - opencryptoki-tpmtok-3.15.1-1.1.mga8.x86_64 --- go to terminal and log in as root # usermod -a -G pkcs11 root # pkcsslotd # pkcsconf -i PKCS#11 Info Version 3.0 Manufacturer: IBM Flags: 0x0 Library Description: openCryptoki Library Version: 3.15 # pkcsconf -t Token #3 Info: Label: softtok Manufacturer: IBM Model: Soft Serial Number: Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) Sessions: 0/[effectively infinite] R/W Sessions: [information unavailable]/[effectively infinite] PIN Length: 4-8 Public Memory: [information unavailable]/[information unavailable] Private Memory: [information unavailable]/[information unavailable] Hardware Version: 0.0 Firmware Version: 0.0 Time: 2021102223060600 basic testing confirms the service is working. Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 3. Keywords:
(none) =>
validated_update
Dave Hodgins
2021-10-26 23:15:59 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0492.html Status:
ASSIGNED =>
RESOLVED |