<div dir="ltr">Hi all<div><br></div><div>I have now prepared a build of nettle for wheezy, based on the patch that Magnus prepared for me (thanks a lot for that!). You can find the debdiff here:</div><div><a href="http://apt.inguza.net/wheezy-security/nettle/nettle.debdiff">http://apt.inguza.net/wheezy-security/nettle/nettle.debdiff</a></div><div><br></div><div>You can find the prepared packages here:</div><div><a href="http://apt.inguza.net/wheezy-security/nettle/">http://apt.inguza.net/wheezy-security/nettle/</a><br></div><div><br></div><div>I have done basic regression testing by installing lsh-server (and lsh-client) and normal operations seems to be working fine. I choose lsh as it is the only application in wheezy that I know is using nettle.</div><div><br></div><div>I have not tried to reproduce the potential side-channel issue as that one is rather hard to trigger. If anyone know about a tool for that, please let me know.</div><div><br></div><div>I will upload a corrected version of nettle in four days (that is on Thursday) unless anyone object of course.</div><div><br></div><div>Best regards</div><div><br></div><div>// Ola</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Aug 7, 2016 at 10:16 PM, Ola Lundqvist <span dir="ltr"><<a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Andreas<div><br></div><div>It looks like you have managed without the context. I'm sorry that I was a little too brief.</div><div><br></div><div>First thank you a lot for confirming that gnutls do not use nettle in wheezy. This is very good to know as I can safely patch nettle without considering gnutls usage of nettle. Thanks! It saves me the burden of patching and coordinating several uploads.</div><div><br></div><div>The follow up patches that are needed are to modify gnutls (as long as it is using nettle).</div><div><br></div><div>This (below) is what I have understood from Niels Möller. He is the source of my knowledge so please be in contact with him about the details.</div><div><br></div><div>The correction in nettle is to use mpz_powm_sec instead of mpz_powm. The problem is that mpz_powm_sec will crash if the modulo argument is an even number. So a check is needed to ensure that or else we have a denial of service problem.</div><div>You can see the detailed correction here:</div><div><a href="https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3" target="_blank">https://git.lysator.liu.se/<wbr>nettle/nettle/commit/<wbr>3fe1d6549765ecfb24f0b80b2ed086<wbr>fdc818bff3</a><br></div><div><br></div><div>Nettle have added such checks in the *_key_prepare functions, see here:</div><div><a href="https://git.lysator.liu.se/nettle/nettle/commit/5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6" target="_blank">https://git.lysator.liu.se/<wbr>nettle/nettle/commit/<wbr>5eb30d94f6f5f3f0cb9ba9ed24bc52<wbr>b7376176b6</a><br></div><div><a href="https://git.lysator.liu.se/nettle/nettle/commit/52b9223126b3f997c00d399166c006ae28669068" target="_blank">https://git.lysator.liu.se/<wbr>nettle/nettle/commit/<wbr>52b9223126b3f997c00d399166c006<wbr>ae28669068</a><br></div><div><a href="https://git.lysator.liu.se/nettle/nettle/commit/544b4047de689519ab3e6ec55b776b95b3e264a9" target="_blank">https://git.lysator.liu.se/<wbr>nettle/nettle/commit/<wbr>544b4047de689519ab3e6ec55b776b<wbr>95b3e264a9</a><br></div><div><br></div><div>I think this merge commit may be of help:</div><div><a href="https://git.lysator.liu.se/nettle/nettle/commit/b721591c051ce9e2304033dd19564f089775df17" target="_blank">https://git.lysator.liu.se/<wbr>nettle/nettle/commit/<wbr>b721591c051ce9e2304033dd19564f<wbr>089775df17</a><br></div><div><br></div><div>The issue is that gnutls do not use (or do not check the return code) these prepare functions so there is therefore nothing that prevent the service from crashing in case an invalid signature is provided. The attack would for example be possible on some service provider having a common web server for multiple clients where the client can add their own certificate/key. In such case the whole server will go down instead of just this client.</div><div><br></div><div>So a check is needed in gnutls to check that the modulo is not even. This can be done either by using the prepare functions (and check the return code) or by checking it explicitly.</div><div><br></div><div>Was this enough context?</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>// Ola</div></font></span></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Sun, Aug 7, 2016 at 8:04 AM, Andreas Metzler <span dir="ltr"><<a href="mailto:ametzler@bebt.de" target="_blank">ametzler@bebt.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 2016-08-07 Ola Lundqvist <<a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a>> wrote:<br>
> On Sat, Aug 6, 2016 at 8:40 PM, Niels Möller <<a href="mailto:nisse@lysator.liu.se" target="_blank">nisse@lysator.liu.se</a>> wrote:<br>
>> Ola Lundqvist <<a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a>> writes:<br>
>>> Magnus, Niels and I have been discussing the nettle update due to<br>
>>> <a href="https://security-tracker.debian.org/tracker/CVE-2016-6489" rel="noreferrer" target="_blank">https://security-tracker.debia<wbr>n.org/tracker/CVE-2016-6489</a><br>
<br>
>> Please note that some coordinatoino with gnutls may be needed, to avoid<br>
>> a denial-of-service problem involving invalid private keys.<br>
<br>
>>> I suggest something like this: "Protect against potential timing<br>
>>> attacks against exponentiation operations as described in<br>
>>> CVE-2016-6489 RSA code is vulnerable to cache sharing related<br>
>>> attacks."<br>
<br>
>> I'd suggest the more general "side-channel attacks" over "timing<br>
>> attacks".<br>
<br>
</span><span>> I do not think coordination with gnutls is needed. I can not see that<br>
> gnutls depend on nettle in wheezy.<br>
> I can see that it can potentially do that, but I do not think it do.<br>
<br>
> There are no dependencies declared on nettle library and from unstable<br>
> changelog it looks like this build dependency was first added in gnutls28.<br>
> Wheezy has gnutls28.<br>
<br>
> I may be wrong however.<br>
<br>
> Or can it be so that nettle is built in statically and that a build<br>
> dependency is not needed as some other package has a build dependency so we<br>
> get it indirectly?<br>
<br>
> I'm including the gnutls maintainers to get their opinion.<br>
<br>
<br>
</span>Hello Ola,<br>
<br>
I think I am missing a little bit context, according to the security<br>
tracker the issue applies to practically all versions of, from oldstable<br>
up to and including unstable but the discussion seems to focus on LTS.<br>
<br>
You are right regarding wheezy/oldstable. It shipped gnutls 2.12.x built<br>
against libgcrypt instead of nettle, there should not be a problem with<br>
a nettle update. 3.3.8 (using nettle) is in wheezy-backports, but that<br>
is not covered by LTS afaiu.<br>
<br>
I am wondering about stable/testing/sid though.<br>
<a href="https://security-tracker.debian.org/tracker/CVE-2016-6489" rel="noreferrer" target="_blank">https://security-tracker.debia<wbr>n.org/tracker/CVE-2016-6489</a> points to<br>
"Original patch had some unintended side effects:", e.g. breaking<br>
GnuTLS. There is a lot of discussion following, however I failed to get<br>
whether the followup patches commited to nettle git did away with the<br>
"unintended side effects" or whether we still need to coordinate for<br>
stable/testing/sid?<br>
<br>
cu Andreaas<br>
<span><font color="#888888">--<br>
`What a good friend you are to him, Dr. Maturin. His other friends are<br>
so grateful to you.'<br>
`I sew his ears on from time to time, sure'<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="">-- <br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><font face="courier new, monospace" size="1"> --- Inguza Technology AB --- MSc in Information Technology ----</font></div><div><font face="courier new, monospace" size="1">/ <a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a> Folkebogatan 26 \</font></div><div><font face="courier new, monospace" size="1">| <a href="mailto:opal@debian.org" target="_blank">opal@debian.org</a> 654 68 KARLSTAD |</font></div><div><font face="courier new, monospace" size="1">| <a href="http://inguza.com/" target="_blank">http://inguza.com/</a> Mobile: <a href="tel:%2B46%20%280%2970-332%201551" value="+46703321551" target="_blank">+46 (0)70-332 1551</a> |</font></div><div><font face="courier new, monospace" size="1">\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /</font></div><div><font face="courier new, monospace" size="1"> -----------------------------<wbr>------------------------------<wbr>----</font></div></div><div><br></div></div></div></div></div>
</span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><font face="courier new, monospace" size="1"> --- Inguza Technology AB --- MSc in Information Technology ----</font></div><div><font face="courier new, monospace" size="1">/ <a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a> Folkebogatan 26 \</font></div><div><font face="courier new, monospace" size="1">| <a href="mailto:opal@debian.org" target="_blank">opal@debian.org</a> 654 68 KARLSTAD |</font></div><div><font face="courier new, monospace" size="1">| <a href="http://inguza.com/" target="_blank">http://inguza.com/</a> Mobile: +46 (0)70-332 1551 |</font></div><div><font face="courier new, monospace" size="1">\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /</font></div><div><font face="courier new, monospace" size="1"> ---------------------------------------------------------------</font></div></div><div><br></div></div></div></div></div>
</div>