Bug 16426 - libcryptopp new security issue CVE-2015-2141
Summary: libcryptopp new security issue CVE-2015-2141
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/649711/
Whiteboard: MGA4TOO has_procedure advisory MGA4-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-20 20:30 CEST by David Walser
Modified: 2015-08-21 20:56 CEST (History)
3 users (show)

See Also:
Source RPM: libcryptopp-5.6.2-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-20 20:30:38 CEST
Debian has issued an advisory on June 29:
https://www.debian.org/security/2015/dsa-3296

I missed this earlier because their package name is libcrypto++.

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

This library is used by amule, kodi, and synergy.

Advisory:
========================

Updated libcryptopp packages fix security vulnerability:

Evgeny Sidorov discovered that libcryptopp did not properly implement blinding
to mask private key operations for the Rabin-Williams digital signature
algorithm. This could allow remote attackers to mount a timing attack and
retrieve the user's private key (CVE-2015-2141).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2141
https://www.debian.org/security/2015/dsa-3296
========================

Updated packages in core/updates_testing:
========================
libcryptopp6-5.6.2-2.1.mga4
libcryptopp-devel-5.6.2-2.1.mga4
libcryptopp-progs-5.6.2-2.1.mga4
libcryptopp6-5.6.2-4.1.mga5
libcryptopp-devel-5.6.2-4.1.mga5
libcryptopp-progs-5.6.2-4.1.mga5

from SRPMS:
libcryptopp-5.6.2-2.1.mga4.src.rpm
libcryptopp-5.6.2-4.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-20 20:30:47 CEST

Whiteboard: (none) => MGA4TOO

Dave Hodgins 2015-07-28 16:32:31 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO advisory

Comment 1 Herman Viaene 2015-08-03 15:37:21 CEST
MGA4-32 on Acer D620 Xfce.
No installation issues.
urpmq --whatrequires libcryptopp6 shows amongst others synergy.
set up this PC as synergy client and connected to a server on the LAN
at CLI
> strace -o syn synergy
could move the mouse from the server into the screen of the client PC
and
$ grep libcrypt syn
open("/lib/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3

CC: (none) => herman.viaene
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-32-OK

Comment 2 claire robinson 2015-08-03 16:24:20 CEST
Well done Herman!
Comment 3 Herman Viaene 2015-08-19 15:16:09 CEST
MGA5-64 on HP Probook 6555b KDE
No installation issues.
Repeated same test as per Comment 1 above: works OK.

Whiteboard: MGA4TOO advisory MGA4-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA5-64-OK

Comment 4 Samuel Verschelde 2015-08-21 11:10:43 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-08-21 20:56:08 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0317.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.