diff -Nru nettle-2.7.1/debian/changelog nettle-2.7.1/debian/changelog --- nettle-2.7.1/debian/changelog 2016-02-10 18:34:57.000000000 +0000 +++ nettle-2.7.1/debian/changelog 2017-02-03 13:57:10.000000000 +0000 @@ -1,3 +1,14 @@ +nettle (2.7.1-1ubuntu0.2) trusty-security; urgency=medium + + * SECURITY UPDATE: RSA cache timing side-channel attack + - debian/patches/CVE-2016-6489.patch: use mpz_powm_sec and check for + invalid keys in dsa-sign.c, rsa-blind.c, rsa-pkcs1-sign-tr.c, + rsa-pkcs1-sign.c, rsa-sign.c, rsa.c, testsuite/rsa-test.c, + rsa-decrypt-tr.c, rsa-decrypt.c. + - CVE-2016-6489 + + -- Marc Deslauriers Fri, 03 Feb 2017 08:40:39 -0500 + nettle (2.7.1-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: miscomputation bugs in secp-256r1 modulo functions diff -Nru nettle-2.7.1/debian/patches/CVE-2016-6489.patch nettle-2.7.1/debian/patches/CVE-2016-6489.patch --- nettle-2.7.1/debian/patches/CVE-2016-6489.patch 1970-01-01 00:00:00.000000000 +0000 +++ nettle-2.7.1/debian/patches/CVE-2016-6489.patch 2017-02-03 13:57:15.000000000 +0000 @@ -0,0 +1,183 @@ +Description: fix RSA cache timing side-channel attack +Origin: backport, https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3 +Origin: backport, https://git.lysator.liu.se/nettle/nettle/commit/5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6 +Origin: backport, https://git.lysator.liu.se/nettle/nettle/commit/52b9223126b3f997c00d399166c006ae28669068 +Origin: backport, https://git.lysator.liu.se/nettle/nettle/commit/544b4047de689519ab3e6ec55b776b95b3e264a9 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832983 + +Index: nettle-2.7.1/dsa-sign.c +=================================================================== +--- nettle-2.7.1.orig/dsa-sign.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/dsa-sign.c 2017-02-03 08:36:57.081878110 -0500 +@@ -47,6 +47,11 @@ + mpz_t h; + mpz_t tmp; + ++ /* Check that p is odd, so that invalid keys don't result in a crash ++ inside mpz_powm_sec. */ ++ if (mpz_even_p (pub->p)) ++ return 0; ++ + /* Require precise match of bitsize of q and hash size. The general + description of DSA in FIPS186-3 allows both larger and smaller q; + in the the latter case, the hash must be truncated to the right +@@ -63,7 +68,7 @@ + mpz_add_ui(k, k, 1); + + /* Compute r = (g^k (mod p)) (mod q) */ +- mpz_powm(tmp, pub->g, k, pub->p); ++ mpz_powm_sec(tmp, pub->g, k, pub->p); + mpz_fdiv_r(signature->r, tmp, pub->q); + + /* Compute hash */ +Index: nettle-2.7.1/rsa-blind.c +=================================================================== +--- nettle-2.7.1.orig/rsa-blind.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/rsa-blind.c 2017-02-03 08:24:40.193044276 -0500 +@@ -53,7 +53,7 @@ + while (!mpz_invert (ri, r, pub->n)); + + /* c = c*(r^e) mod n */ +- mpz_powm(r, r, pub->e, pub->n); ++ mpz_powm_sec(r, r, pub->e, pub->n); + mpz_mul(c, c, r); + mpz_fdiv_r(c, c, pub->n); + +Index: nettle-2.7.1/rsa-pkcs1-sign-tr.c +=================================================================== +--- nettle-2.7.1.orig/rsa-pkcs1-sign-tr.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/rsa-pkcs1-sign-tr.c 2017-02-03 08:35:00.748465466 -0500 +@@ -40,6 +40,14 @@ + { + mpz_t ri; + ++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the ++ key is invalid and rejected by rsa_private_key_prepare. However, ++ some applications, notably gnutls, don't use this function, and ++ we don't want an invalid key to lead to a crash down inside ++ mpz_powm_sec. So do an additional check here. */ ++ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) ++ return 0; ++ + if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info)) + { + mpz_init (ri); +Index: nettle-2.7.1/rsa-pkcs1-sign.c +=================================================================== +--- nettle-2.7.1.orig/rsa-pkcs1-sign.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/rsa-pkcs1-sign.c 2017-02-03 08:35:55.485117270 -0500 +@@ -36,6 +36,14 @@ + unsigned length, const uint8_t *digest_info, + mpz_t s) + { ++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the ++ key is invalid and rejected by rsa_private_key_prepare. However, ++ some applications, notably gnutls, don't use this function, and ++ we don't want an invalid key to lead to a crash down inside ++ mpz_powm_sec. So do an additional check here. */ ++ if (mpz_even_p (key->p) || mpz_even_p (key->q)) ++ return 0; ++ + if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info)) + { + rsa_compute_root(key, s, s); +Index: nettle-2.7.1/rsa-sign.c +=================================================================== +--- nettle-2.7.1.orig/rsa-sign.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/rsa-sign.c 2017-02-03 08:24:42.761075113 -0500 +@@ -88,11 +88,11 @@ + + /* Compute xq = m^d % q = (m%q)^b % q */ + mpz_fdiv_r(xq, m, key->q); +- mpz_powm(xq, xq, key->b, key->q); ++ mpz_powm_sec(xq, xq, key->b, key->q); + + /* Compute xp = m^d % p = (m%p)^a % p */ + mpz_fdiv_r(xp, m, key->p); +- mpz_powm(xp, xp, key->a, key->p); ++ mpz_powm_sec(xp, xp, key->a, key->p); + + /* Set xp' = (xp - xq) c % p. */ + mpz_sub(xp, xp, xq); +Index: nettle-2.7.1/rsa.c +=================================================================== +--- nettle-2.7.1.orig/rsa.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/rsa.c 2017-02-03 08:32:42.018811528 -0500 +@@ -50,13 +50,18 @@ + } + + /* Computes the size, in octets, of a the modulo. Returns 0 if the +- * modulo is too small to be useful. */ +- ++ * modulo is too small to be useful, or otherwise appears invalid. */ + unsigned + _rsa_check_size(mpz_t n) + { + /* Round upwards */ +- unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8; ++ unsigned size; ++ ++ /* Even moduli are invalid, and not supported by mpz_powm_sec. */ ++ if (mpz_even_p (n)) ++ return 0; ++ ++ size = (mpz_sizeinbase(n, 2) + 7) / 8; + + if (size < RSA_MINIMUM_N_OCTETS) + return 0; +Index: nettle-2.7.1/testsuite/rsa-test.c +=================================================================== +--- nettle-2.7.1.orig/testsuite/rsa-test.c 2013-05-28 10:21:54.000000000 -0400 ++++ nettle-2.7.1/testsuite/rsa-test.c 2017-02-03 08:31:15.253775662 -0500 +@@ -57,6 +57,13 @@ + + test_rsa_sha512(&pub, &key, expected); + ++ /* Test detection of invalid keys with even modulo */ ++ mpz_clrbit (pub.n, 0); ++ ASSERT (!rsa_public_key_prepare (&pub)); ++ ++ mpz_clrbit (key.p, 0); ++ ASSERT (!rsa_private_key_prepare (&key)); ++ + /* 777-bit key, generated by + * + * lsh-keygen -a rsa -l 777 -f advanced-hex +Index: nettle-2.7.1/rsa-decrypt-tr.c +=================================================================== +--- nettle-2.7.1.orig/rsa-decrypt-tr.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/rsa-decrypt-tr.c 2017-02-03 08:40:08.352456661 -0500 +@@ -43,6 +43,14 @@ + mpz_t m, ri; + int res; + ++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the ++ key is invalid and rejected by rsa_private_key_prepare. However, ++ some applications, notably gnutls, don't use this function, and ++ we don't want an invalid key to lead to a crash down inside ++ mpz_powm_sec. So do an additional check here. */ ++ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) ++ return 0; ++ + mpz_init_set(m, gibberish); + mpz_init (ri); + +Index: nettle-2.7.1/rsa-decrypt.c +=================================================================== +--- nettle-2.7.1.orig/rsa-decrypt.c 2013-05-28 10:21:53.000000000 -0400 ++++ nettle-2.7.1/rsa-decrypt.c 2017-02-03 08:39:57.292307896 -0500 +@@ -39,6 +39,14 @@ + mpz_t m; + int res; + ++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the ++ key is invalid and rejected by rsa_private_key_prepare. However, ++ some applications, notably gnutls, don't use this function, and ++ we don't want an invalid key to lead to a crash down inside ++ mpz_powm_sec. So do an additional check here. */ ++ if (mpz_even_p (key->p) || mpz_even_p (key->q)) ++ return 0; ++ + mpz_init(m); + rsa_compute_root(key, m, gibberish); + diff -Nru nettle-2.7.1/debian/patches/series nettle-2.7.1/debian/patches/series --- nettle-2.7.1/debian/patches/series 2016-02-10 18:33:23.000000000 +0000 +++ nettle-2.7.1/debian/patches/series 2017-02-03 13:24:29.000000000 +0000 @@ -1,2 +1,3 @@ CVE-2015-8803_8805.patch CVE-2015-8804.patch +CVE-2016-6489.patch