Bug 25759 - libcryptopp new security issue CVE-2019-14318
Summary: libcryptopp new security issue CVE-2019-14318
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-26 20:08 CET by David Walser
Modified: 2019-12-06 15:17 CET (History)
7 users (show)

See Also:
Source RPM: libcryptopp-7.0.0-1.mga7.src.rpm
CVE: CVE-2019-14318
Status comment:


Attachments

Description David Walser 2019-11-26 20:08:18 CET
openSUSE has issued an advisory on August 20:
https://lists.opensuse.org/opensuse-updates/2019-08/msg00155.html

Mageia 7 is also affected.
David Walser 2019-11-26 20:08:27 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-11-26 21:35:27 CET
The package has no registered maintainer, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-11-26 22:53:57 CET
Fixed in libcryptopp-8.2.0-1.mga8 (with a patch) by David in Cauldron.

CC: (none) => geiger.david68210
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 Nicolas Salguero 2019-11-27 15:45:20 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information. (CVE-2019-14318)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14318
https://lists.opensuse.org/opensuse-updates/2019-08/msg00155.html
========================

Updated packages in core/updates_testing:
========================
lib(64)cryptopp7-7.0.0-1.1.mga7
lib(64)cryptopp-devel-7.0.0-1.1.mga7
libcryptopp-progs-7.0.0-1.1.mga7

from SRPMS:
libcryptopp-7.0.0-1.1.mga7.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-14318

Comment 4 Brian Rockwell 2019-11-28 00:23:18 CET
The following 13 packages are going to be installed:

- binutils-2.32-14.mga7.i586
- gcc-8.3.1-0.20191101.1.mga7.i586
- gcc-cpp-8.3.1-0.20191101.1.mga7.i586
- glibc-devel-2.29-19.mga7.i586
- isl-0.18-1.mga7.i586
- kernel-userspace-headers-5.3.13-2.mga7.i586
- libcryptopp-devel-7.0.0-1.1.mga7.i586
- libcryptopp-progs-7.0.0-1.1.mga7.i586
- libcryptopp7-7.0.0-1.1.mga7.i586
- libisl15-0.18-1.mga7.i586
- libmpc3-1.1.0-3.mga7.i586
- libstdc++-devel-8.3.1-0.20191101.1.mga7.i586
- libxcrypt-devel-4.4.6-1.mga7.i586

----

Ran test as noted by Lewis in prior validations

$ cryptest v > tmp/cryptest_v
$ less  tmp/cryptest_v

In this case seems it did fail:

...
SHA validation suite running...

Exception caught: Can not open file TestVectors/sha.txt for reading

CC: (none) => brtians1
Whiteboard: (none) => feedback

Comment 5 Nicolas Salguero 2019-11-28 08:44:05 CET
In bug 21029 comment 6, Lewis said:
"""
As normal, the self-tests end with:
 CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading
"""
so I think that error is "normal".

Whiteboard: feedback => (none)

Comment 6 Herman Viaene 2019-11-30 20:34:16 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
I checked the contents of the packages installed and found that the file reported above are located in /usr/share/cryptopp, so I did
$ cd /usr/share/cryptopp/
$ cryptest v > ~/Documenten/cryptest_v

And consulting the output file, all tests completed and passed. OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2019-12-05 22:58:39 CET
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 12:38:41 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-12-06 15:17:23 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0362.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.