RedHat has issued an advisory on April 16: https://lwn.net/Articles/970137/ The problem is fixed in version 3.23.0. Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 3.23.0Whiteboard: (none) => MGA9TOOSource RPM: (none) => opencryptoki-3.18.0-1.mga9.src.rpmCVE: (none) => CVE-2024-0914
Suggested advisory: ======================== The updated packages fix a security vulnerability: A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key. (CVE-2024-0914) References: https://lwn.net/Articles/970137/ ======================== Updated packages in core/updates_testing: ======================== lib(64)opencryptoki0-3.23.0-1.mga9 lib(64)opencryptoki-devel-3.23.0-1.mga9 opencryptoki-3.23.0-1.mga9 opencryptoki-icsftok-3.23.0-1.mga9 opencryptoki-swtok-3.23.0-1.mga9 opencryptoki-tpmtok-3.23.0-1.mga9 from SRPM: opencryptoki-3.23.0-1.mga9.src.rpm
Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in 3.23.0 => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 9Whiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
RH mageia 9 x86_64 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") lib64tspi1 0.3.15 3.mga9 x86_64 (command line) lib64opencryptoki-devel 3.23.0 1.mga9 x86_64 lib64opencryptoki0 3.23.0 1.mga9 x86_64 opencryptoki 3.23.0 1.mga9 x86_64 opencryptoki-icsftok 3.23.0 1.mga9 x86_64 opencryptoki-swtok 3.23.0 1.mga9 x86_64 opencryptoki-tpmtok 3.23.0 1.mga9 x86_64 3.7MB of additional disk space will be used. 1.3MB of packages will be retrieved. Proceed with the installation of the 7 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64tspi1-0.3.15-3.mga9.x86_64.rpm installing /home/katnatek/qa-testing/x86_64/lib64opencryptoki0-3.23.0-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/opencryptoki-icsftok-3.23.0-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/lib64opencryptoki-devel-3.23.0-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64tspi1-0.3.15-3.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/opencryptoki-3.23.0-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/opencryptoki-swtok-3.23.0-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/opencryptoki-tpmtok-3.23.0-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/7: lib64opencryptoki0 ################################################################################################## 2/7: lib64tspi1 ################################################################################################## 3/7: opencryptoki-tpmtok warning: group pkcs11 does not exist - using root ################################################################################################## 4/7: opencryptoki-icsftok warning: group pkcs11 does not exist - using root ################################################################################################## 5/7: lib64opencryptoki-devel ################################################################################################## 6/7: opencryptoki-swtok warning: group pkcs11 does not exist - using root warning: group pkcs11 does not exist - using root ################################################################################################## 7/7: opencryptoki ################################################################################################## /usr/lib/tmpfiles.d/opencryptoki.conf:2: Failed to resolve user 'pkcsslotd': No such process /usr/lib/tmpfiles.d/opencryptoki.conf:2: Failed to resolve user 'pkcsslotd': No such process I did try to follow bug#29328 comment#5 , but something is not working usermod -a -G pkcs11 root pkcsslotd There is no 'pkcsslotd' user on this system. pkcsconf -i pkcsconf: Error initializing the PKCS11 library: 0x6 (CKR_FUNCTION_FAILED)
Keywords: (none) => feedback
Hi, Indeed, I missed some options for configure, at build time, sorry. Updated packages in core/updates_testing: ======================== lib(64)opencryptoki0-3.23.0-1.1.mga9 lib(64)opencryptoki-devel-3.23.0-1.1.mga9 opencryptoki-3.23.0-1.1.mga9 opencryptoki-icsftok-3.23.0-1.1.mga9 opencryptoki-swtok-3.23.0-1.1.mga9 opencryptoki-tpmtok-3.23.0-1.1.mga9 from SRPM: opencryptoki-3.23.0-1.1.mga9.src.rpm
Keywords: feedback => (none)
I removed the "advisory" flag since I think it needs to be updated in SVN.
Keywords: advisory => (none)
RH mageia 9 x86_64 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") lib64tspi1 0.3.15 3.mga9 x86_64 (command line) lib64opencryptoki-devel 3.23.0 1.1.mga9 x86_64 lib64opencryptoki0 3.23.0 1.1.mga9 x86_64 opencryptoki 3.23.0 1.1.mga9 x86_64 opencryptoki-icsftok 3.23.0 1.1.mga9 x86_64 opencryptoki-swtok 3.23.0 1.1.mga9 x86_64 opencryptoki-tpmtok 3.23.0 1.1.mga9 x86_64 3.7MB of additional disk space will be used. 1.3MB of packages will be retrieved. Proceed with the installation of the 7 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64tspi1-0.3.15-3.mga9.x86_64.rpm installing /home/katnatek/qa-testing/x86_64/opencryptoki-swtok-3.23.0-1.1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/lib64opencryptoki0-3.23.0-1.1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/opencryptoki-tpmtok-3.23.0-1.1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/opencryptoki-3.23.0-1.1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/opencryptoki-icsftok-3.23.0-1.1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/lib64opencryptoki-devel-3.23.0-1.1.mga9.x86_64.rpm /var/cache/urpmi/rpms/lib64tspi1-0.3.15-3.mga9.x86_64.rpm Preparing... ################################################################################################## 1/7: lib64opencryptoki0 ################################################################################################## 2/7: lib64tspi1 ################################################################################################## 3/7: opencryptoki-tpmtok ################################################################################################## 4/7: opencryptoki-swtok ################################################################################################## 5/7: opencryptoki-icsftok ################################################################################################## 6/7: lib64opencryptoki-devel ################################################################################################## 7/7: opencryptoki ################################################################################################## Reference bug#29328 comment#5 usermod -a -G pkcs11 root pkcsslotd pkcsconf -i PKCS#11 Info Version 3.0 Manufacturer: IBM Flags: 0x0 Library Description: openCryptoki Library Version: 3.23 URI: pkcs11:library-description=openCryptoki;library-manufacturer=IBM;library-version=3.23 pkcsconf -t Token #3 Info: Label: softtok Manufacturer: IBM Model: Soft Serial Number: Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) Sessions: 0/[effectively infinite] R/W Sessions: 0/[effectively infinite] PIN Length: 4-8 Public Memory: [information unavailable]/[information unavailable] Private Memory: [information unavailable]/[information unavailable] Hardware Version: 0.0 Firmware Version: 0.0 Time: 2024042611115000 URI: pkcs11:manufacturer=IBM;model=Soft;token=softtok Looks consistent with the reference and not installations warnings with this packages
Also, not issues at uninstall
CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0152.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED