bug#47222: Serious bug in Nettle's ecdsa

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47222: Serious bug in Nettle's ecdsa_verify

From:	Ludovic Courtès
Subject:	bug#47222: Serious bug in Nettle's ecdsa_verify
Date:	Thu, 25 Mar 2021 10:51:51 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

Hi Niels,

> I've prepared a new bug-fix release of Nettle, a low-level
> cryptographics library, to fix a serious bug in the function to verify
> ECDSA signatures. Implications include an assertion failure, which could
> be used for denial-of-service, when verifying signatures on the
> secp_224r1 and secp521_r1 curves. More details in NEWS file below.
>
> Upgrading is strongly recomended.

Are there plans to make a new 3.5 release including these fixes?
Alternatively, could you provide guidance as to which commits should be
cherry-picked in 3.5 for downstream distros?

I’m asking because in Guix, the easiest way for us to deploy the fixes
on the ‘master’ branch would be by “grafting” a new Nettle variant
ABI-compatible with 3.5.1, which is the one packages currently depend on.

Thanks in advance,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47222: Serious bug in Nettle's ecdsa_verify, Mark H Weaver, 2021/03/17
- bug#47222: [Niels Möller] ANNOUNCE: Nettle-3.7.2, Mark H Weaver, 2021/03/21
  - bug#47222: Serious bug in Nettle's ecdsa_verify, Ludovic Courtès <=
    - bug#47222: Serious bug in Nettle's ecdsa_verify, Niels Möller, 2021/03/25
    - bug#47222: Serious bug in Nettle's ecdsa_verify, Leo Famulari, 2021/03/25

Prev by Date: bug#47379: "statfs" test in tests/syscall.scm fails with BTRFS file systems.
Next by Date: bug#47379: "statfs" test in tests/syscall.scm fails with BTRFS file systems.
Previous by thread: bug#47222: [Niels Möller] ANNOUNCE: Nettle-3.7.2
Next by thread: bug#47222: Serious bug in Nettle's ecdsa_verify
Index(es):
- Date
- Thread