libnettle8: New upstream version fixes ECDSA signature verification issue

Debian Bug report logs - #985652
libnettle8: New upstream version fixes ECDSA signature verification issue

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libnettle8: New upstream version fixes ECDSA signature verification issue

Date: Sun, 21 Mar 2021 13:14:00 +0100

Package: libnettle8
Version: 3.7-2.1
Severity: important

Hello,

nettle 3.7.2 features the following fix:

| This is a bugfix release, fixing a bug in ECDSA signature
| verification that could lead to a denial of service attack
| (via an assertion failure) or possibly incorrect results. It
| also fixes a few related problems where scalars are required
| to be canonically reduced modulo the ECC group order, but in
| fact may be slightly larger.
| 
| Upgrading to the new version is strongly recommended.
| 
| Even when no assert is triggered in ecdsa_verify, ECC point
| multiplication may get invalid intermediate values as input,
| and produce incorrect results. It's trivial to construct
| alleged signatures that result in invalid intermediate values.
| It appears difficult to construct an alleged signature that
| makes the function misbehave in such a way that an invalid
| signature is accepted as valid, but such attacks can't be
| ruled out without further analysis.

A DSA is currently not planned. Please upgrade nettle for sid (and
bullseye) to 3.7.2.

FWIW I have forked the salsa repo and packaged the new version at
<https://salsa.debian.org/ametzler/nettle>. I have not sent a merge
request since Debian packaging involves multiple branches.

cu Andreas

Message #10 received at 985652@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Andreas Metzler <ametzler@bebt.de>, 985652@bugs.debian.org

Subject: Re: Bug#985652: libnettle8: New upstream version fixes ECDSA signature verification issue

Date: Thu, 1 Apr 2021 09:04:12 +0200

Hi,

On Sun, Mar 21, 2021 at 01:14:00PM +0100, Andreas Metzler wrote:
> Package: libnettle8
> Version: 3.7-2.1
> Severity: important
> 
> Hello,
> 
> nettle 3.7.2 features the following fix:
> 
> | This is a bugfix release, fixing a bug in ECDSA signature
> | verification that could lead to a denial of service attack
> | (via an assertion failure) or possibly incorrect results. It
> | also fixes a few related problems where scalars are required
> | to be canonically reduced modulo the ECC group order, but in
> | fact may be slightly larger.
> | 
> | Upgrading to the new version is strongly recommended.
> | 
> | Even when no assert is triggered in ecdsa_verify, ECC point
> | multiplication may get invalid intermediate values as input,
> | and produce incorrect results. It's trivial to construct
> | alleged signatures that result in invalid intermediate values.
> | It appears difficult to construct an alleged signature that
> | makes the function misbehave in such a way that an invalid
> | signature is accepted as valid, but such attacks can't be
> | ruled out without further analysis.
> 
> A DSA is currently not planned. Please upgrade nettle for sid (and
> bullseye) to 3.7.2.
> 
> FWIW I have forked the salsa repo and packaged the new version at
> <https://salsa.debian.org/ametzler/nettle>. I have not sent a merge
> request since Debian packaging involves multiple branches.

FTR, the security issue part has been assigned CVE-2021-20305. Cf.
https://bugzilla.redhat.com/show_bug.cgi?id=1942533 .

Regards,
Salvatore

Send a report that this bug log contains spam.