29328 – opencryptoki new security issue in handling EC keys

Bug 29328 - opencryptoki new security issue in handling EC keys

Summary: opencryptoki new security issue in handling EC keys

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-08-04 20:02 CEST by David Walser
Modified:	2021-10-27 14:14 CEST (History)
CC List:	8 users (show)

See Also:
Source RPM:	opencryptoki-3.15.1-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-08-04 20:02:51 CEST

Ubuntu has issued an advisory today (August 4):
https://ubuntu.com/security/notices/USN-5031-1

Mageia 8 is also affected.

David Walser 2021-08-04 20:03:10 CEST

Assignee: bugsquad => geiger.david68210
Status comment: (none) => Patch available from Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-09-03 19:39:12 CEST

Fedora has issued an advisory for this on September 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLP3UNIVGYENSFGVADMQ2IYP4A3TDYJC/

Comment 2 Marja Van Waes 2021-09-08 22:23:24 CEST

CC'ing all packagers collectively, because daviddavid hasn't been around since three months ago. Any packager should feel free to take this bug.

CC: (none) => marja11, pkg-bugs

Comment 3 Nicolas Salguero 2021-09-10 09:29:46 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

It was discovered that openCryptoki incorrectly handled certain EC keys.  An attacker could possibly use this issue to cause a invalid curve attack.

References:
https://ubuntu.com/security/notices/USN-5031-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLP3UNIVGYENSFGVADMQ2IYP4A3TDYJC/
========================

Updated packages in core/updates_testing:
========================
opencryptoki-3.15.1-1.1.mga8
opencryptoki-swtok-3.15.1-1.1.mga8
opencryptoki-tpmtok-3.15.1-1.1.mga8
opencryptoki-icsftok-3.15.1-1.1.mga8
lib(64)opencryptoki0-3.15.1-1.1.mga8
lib(64)opencryptoki-devel-3.15.1-1.1.mga8

from SRPM:
opencryptoki-3.15.1-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Patch available from Ubuntu => (none)
CC: (none) => nicolas.salguero
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Nicolas Salguero 2021-09-10 09:30:04 CEST

Source RPM: opencryptoki-3.16.0-1.mga9.src.rpm => opencryptoki-3.15.1-1.mga8.src.rpm

Comment 4 Herman Viaene 2021-09-25 16:56:36 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues.
# p11sak -h

 Usage: p11sak COMMAND [ARGS] [OPTIONS]

 Commands:
      generate-key       Generate a key
      list-key           List keys in the repository
      remove-key         Delete keys in the repository

 Options:
      -h, --help         Show this help
Did different tries with list-key or generate-key, but my lack of knowledge in this field does not allow to do anything useful.

CC: (none) => herman.viaene

Comment 5 Brian Rockwell 2021-10-23 06:11:01 CEST

The following 6 packages are going to be installed:

- lib64opencryptoki-devel-3.15.1-1.1.mga8.x86_64
- lib64opencryptoki0-3.15.1-1.1.mga8.x86_64
- opencryptoki-3.15.1-1.1.mga8.x86_64
- opencryptoki-icsftok-3.15.1-1.1.mga8.x86_64
- opencryptoki-swtok-3.15.1-1.1.mga8.x86_64
- opencryptoki-tpmtok-3.15.1-1.1.mga8.x86_64


---

go to terminal and log in as root

# usermod -a -G pkcs11 root
# pkcsslotd
# pkcsconf -i
PKCS#11 Info
	Version 3.0 
	Manufacturer: IBM                              
	Flags: 0x0  
	Library Description: openCryptoki                     
	Library Version: 3.15
	
# pkcsconf -t
Token #3 Info:
	Label: softtok                         
	Manufacturer: IBM                             
	Model: Soft            
	Serial Number:                 
	Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED)
	Sessions: 0/[effectively infinite]
	R/W Sessions: [information unavailable]/[effectively infinite]
	PIN Length: 4-8
	Public Memory: [information unavailable]/[information unavailable]
	Private Memory: [information unavailable]/[information unavailable]
	Hardware Version: 0.0
	Firmware Version: 0.0
	Time: 2021102223060600


basic testing confirms the service is working.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

Comment 6 Thomas Andrews 2021-10-23 21:09:58 CEST

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-26 23:15:59 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-10-27 14:14:45 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0492.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.