From unknown Wed Jun 18 23:08:49 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#47222 <47222@debbugs.gnu.org> To: bug#47222 <47222@debbugs.gnu.org> Subject: Status: Serious bug in Nettle's ecdsa_verify Reply-To: bug#47222 <47222@debbugs.gnu.org> Date: Thu, 19 Jun 2025 06:08:49 +0000 retitle 47222 Serious bug in Nettle's ecdsa_verify reassign 47222 guix submitter 47222 Mark H Weaver severity 47222 important tag 47222 security thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 17 20:23:51 2021 Received: (at submit) by debbugs.gnu.org; 18 Mar 2021 00:23:51 +0000 Received: from localhost ([127.0.0.1]:44435 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMgS7-0002oY-5o for submit@debbugs.gnu.org; Wed, 17 Mar 2021 20:23:51 -0400 Received: from lists.gnu.org ([209.51.188.17]:41454) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMgS4-0002oP-6D for submit@debbugs.gnu.org; Wed, 17 Mar 2021 20:23:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58878) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMgS4-0003jR-04 for bug-guix@gnu.org; Wed, 17 Mar 2021 20:23:48 -0400 Received: from world.peace.net ([64.112.178.59]:36592) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMgRw-0000AY-R7 for bug-guix@gnu.org; Wed, 17 Mar 2021 20:23:47 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lMgRk-0005tF-Cm; Wed, 17 Mar 2021 20:23:28 -0400 From: Mark H Weaver To: bug-guix@gnu.org Subject: Serious bug in Nettle's ecdsa_verify References: Date: Wed, 17 Mar 2021 20:21:54 -0400 Message-ID: <87blbhia4i.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) FYI... -------------------- Start of forwarded message -------------------- From: nisse@lysator.liu.se (Niels M=C3=B6ller) To: nettle-bugs@lists.lysator.liu.se Subject: ANNOUNCE: Serious bug in Nettle's ecdsa_verify Date: Tue, 16 Mar 2021 09:07:56 +0100 I've been made aware of a bug in Nettle's code to verify ECDSA signatures. Certain signatures result in the ecc point multiply function being called with out-of-range scalars, which may give incorrect results, or crash in an assertion failure. It's an old bug, probably since Nettle's initial implementation of ECDSA. I've just pushed fixes for ecdsa_verify, as well as a few other cases of potentially out-of-range scalars, to the master-updates branch. I haven't fully analysed the implications, but I'll describe my current understanding. I think an assertion failure, useful for a denial-of-service attack, is easy on the curves where the bitsize of q, the group order, is not an integral number of words. That's secp224r1, on 64-bit platforms, and secp521r1. Even when it's not possible to trigger an assertion failure, it's easy to produce valid-looking input "signatures" that hit out-of range intermediate scalar values where point multiplication may misbehave. This applies to all the NIST secp* curves as well as the GOST curves. To me, it looks very difficult to make it misbehave in such a way that ecdsa_verify will think an invalid signature is valid, but it might be possible; further analysis is needed. I will not be able to analyze it properly now, if anyone else would like to look into it, I can provide a bit more background. ed25519 and ed448 may be affected too, but it appears a bit harder to find inputs that hit out of range values. And since point operations are inherently more robust on these curves, I think they will produce correct results as long as they don't hit the assert. Advise on how to deal best with this? My current plan is to prepare a 3.7.2 bugfix release (from a new bugfix-only branch, without the new arm64 code). Maybe as soon as tomorrow (Wednesday, european time), or in the weekend. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs -------------------- End of forwarded message -------------------- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 09:27:28 2021 Received: (at control) by debbugs.gnu.org; 18 Mar 2021 13:27:28 +0000 Received: from localhost ([127.0.0.1]:45372 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgR-0007tj-TU for submit@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49306) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgQ-0007tN-TT for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54839) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMsgL-0001mT-Ng for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:21 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53164 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lMsgK-0003Ml-9r for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:20 -0400 Date: Thu, 18 Mar 2021 14:27:19 +0100 Message-Id: <874kh8r3rc.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #47222 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) tags 47222 + security quit From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 09:27:32 2021 Received: (at control) by debbugs.gnu.org; 18 Mar 2021 13:27:32 +0000 Received: from localhost ([127.0.0.1]:45375 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgW-0007tz-4L for submit@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:32 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49328) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgV-0007ta-9N for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54840) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMsgQ-0001qU-3p for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:26 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53166 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lMsgO-0003Ti-Mf for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:25 -0400 Date: Thu, 18 Mar 2021 14:27:23 +0100 Message-Id: <8735wsr3r8.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #47222 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) severity 47222 important quit From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 21 15:49:33 2021 Received: (at 47222) by debbugs.gnu.org; 21 Mar 2021 19:49:33 +0000 Received: from localhost ([127.0.0.1]:55524 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lO44r-0008Gy-DR for submit@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:33 -0400 Received: from world.peace.net ([64.112.178.59]:35174) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lO44p-0008Gl-58 for 47222@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:31 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lO44i-0001gt-4n; Sun, 21 Mar 2021 15:49:24 -0400 From: Mark H Weaver To: 47222@debbugs.gnu.org Subject: [Niels =?utf-8?Q?M=C3=B6ller=5D?= ANNOUNCE: Nettle-3.7.2 References: Date: Sun, 21 Mar 2021 15:47:47 -0400 Message-ID: <875z1kl24h.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47222 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable -------------------- Start of forwarded message -------------------- From: nisse@lysator.liu.se (Niels M=C3=B6ller) To: nettle-bugs@lists.lysator.liu.se, info-gnu@gnu.org Subject: ANNOUNCE: Nettle-3.7.2 Date: Sun, 21 Mar 2021 10:24:11 +0100 --=-=-= Content-Type: multipart/mixed; boundary="==-=-=" --==-=-= Content-Type: multipart/signed; boundary="===-=-=" --===-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've prepared a new bug-fix release of Nettle, a low-level cryptographics library, to fix a serious bug in the function to verify ECDSA signatures. Implications include an assertion failure, which could be used for denial-of-service, when verifying signatures on the secp_224r1 and secp521_r1 curves. More details in NEWS file below. Upgrading is strongly recomended. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.7.2.tar.gz Regards, /Niels NEWS for the Nettle 3.7.2 release This is a bugfix release, fixing a bug in ECDSA signature verification that could lead to a denial of service attack (via an assertion failure) or possibly incorrect results. It also fixes a few related problems where scalars are required to be canonically reduced modulo the ECC group order, but in fact may be slightly larger. Upgrading to the new version is strongly recommended. Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. It's trivial to construct alleged signatures that result in invalid intermediate values. It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis. Thanks to Guido Vranken for setting up the fuzzer tests that uncovered this problem. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.3 and libhogweed.so.6.3, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fixed bug in ecdsa_verify, and added a corresponding test case. * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. * Similar fixes to eddsa signatures. The problem is less severe for these curves, because (i) the potentially out or range value is derived from output of a hash function, making it harder for the attacker to to hit the narrow range of problematic values, and (ii) the ecc operations are inherently more robust, and my current understanding is that unless the corresponding assert is hit, the verify operation should complete with a correct result. * Fix to ecdsa_sign, which with a very low probability could return out of range signature values, which would be rejected immediately by a verifier. --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. --===-=-= Content-Type: application/pgp-signature; name=signature.asc Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRXpCQUVCQ2dBZEZpRUV5MGxpMEhEWGZY L0xpNk5pY2RqeC96YU1abmNGQW1CWEVMc0FDZ2tRY2RqeC96YU0KWm5lV2tRZi9hTXhBcVF2UC9p SnBKY1VmZ0gzQTZLMWhyVXp6czJ0VkVoQzQ3blhFc0ZQa0paVldFaUswS2t4UQpTZmo4UjdKNzlQ LzB4Q0N2NWVvRW1sbGNYZ0hIMitSQVUvdmtFTHVXUFMwTjZIS3NMQVBsQ2Y5THduWXVueXp0Ck84 WkdpZWZ4VEFMQVo5Z2tST3FLTm9RZWppa0ZOTFhmYjRlclcyRXJMQmdnZ1RiVFJVUmp4UlJRSDZ4 dU1lV20KVzZPQlhaZTMzOHNBcUJKMlBWYytiMzZ6eWVXWWZTd0EwUU91WXVndXVZSHNnZHBydk9V b1kzSldoSHJHdDYxbwpWZkE5bUtNVjZiVjNXZHJvcjdGMm1vejJSVTdFRVNoQlVaWkJBLzV6RUJE NEE4dE45MkZzT3YyRHV4emplYnk5CkJ6QU1EWHNWc3hXT29JMmE2K2RTbk52Z3E4ZlVrdz09Cj1U WTRQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ== --===-=-=-- --==-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline -- If you have a working or partly working program that you'd like to offer to the GNU project as a GNU package, see https://www.gnu.org/help/evaluation.html. --==-=-=-- --=-=-= Content-Type: text/plain -------------------- End of forwarded message -------------------- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 05:52:05 2021 Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 09:52:05 +0000 Received: from localhost ([127.0.0.1]:37168 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPMer-0005iN-7f for submit@debbugs.gnu.org; Thu, 25 Mar 2021 05:52:05 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45966) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPMep-0005ht-Pq for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 05:52:04 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47903) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPMei-0007Sp-Bo; Thu, 25 Mar 2021 05:51:56 -0400 Received: from nat-eduroam-36-gw-01-bso.bordeaux.inria.fr ([194.199.1.36]:53688 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lPMeh-00042B-Qy; Thu, 25 Mar 2021 05:51:56 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Niels =?utf-8?Q?M=C3=B6ller?= Subject: Re: bug#47222: Serious bug in Nettle's ecdsa_verify References: <875z1kl24h.fsf@netris.org> Date: Thu, 25 Mar 2021 10:51:51 +0100 In-Reply-To: <875z1kl24h.fsf@netris.org> (Mark H. Weaver's message of "Sun, 21 Mar 2021 15:47:47 -0400") Message-ID: <87h7kzblxk.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47222 Cc: 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Niels, > I've prepared a new bug-fix release of Nettle, a low-level > cryptographics library, to fix a serious bug in the function to verify > ECDSA signatures. Implications include an assertion failure, which could > be used for denial-of-service, when verifying signatures on the > secp_224r1 and secp521_r1 curves. More details in NEWS file below. > > Upgrading is strongly recomended. Are there plans to make a new 3.5 release including these fixes? Alternatively, could you provide guidance as to which commits should be cherry-picked in 3.5 for downstream distros? I=E2=80=99m asking because in Guix, the easiest way for us to deploy the fi= xes on the =E2=80=98master=E2=80=99 branch would be by =E2=80=9Cgrafting=E2=80= =9D a new Nettle variant ABI-compatible with 3.5.1, which is the one packages currently depend on. Thanks in advance, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 12:21:45 2021 Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 16:21:45 +0000 Received: from localhost ([127.0.0.1]:39423 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSjx-00049T-Ck for submit@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:45 -0400 Received: from mail.lysator.liu.se ([130.236.254.3]:53475) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSjv-00049K-9W for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:43 -0400 Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 9EC6040008; Thu, 25 Mar 2021 17:21:41 +0100 (CET) Received: from slartibartfast.lysator.liu.se (slartibartfast.lysator.liu.se [IPv6:2001:6b0:17:f0a0::df]) by mail.lysator.liu.se (Postfix) with SMTP id 6250E40004; Thu, 25 Mar 2021 17:21:40 +0100 (CET) Received: by slartibartfast.lysator.liu.se (sSMTP sendmail emulation); Thu, 25 Mar 2021 17:21:40 +0100 From: nisse@lysator.liu.se (Niels =?utf-8?Q?M=C3=B6ller?=) To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#47222: Serious bug in Nettle's ecdsa_verify References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> Date: Thu, 25 Mar 2021 17:21:40 +0100 In-Reply-To: <87h7kzblxk.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Thu, 25 Mar 2021 10:51:51 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47222 Cc: 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: > Are there plans to make a new 3.5 release including these fixes? No, I don't plan any 3.5.x release. > Alternatively, could you provide guidance as to which commits should be > cherry-picked in 3.5 for downstream distros? Look at the branch release-3.7-fixes (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/). The commits since 3.7.1 are the ones you need. Changes to gostdsa and ed448 will not apply, since those curves didn't exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to refactoring when adding ed448. > I=E2=80=99m asking because in Guix, the easiest way for us to deploy the = fixes > on the =E2=80=98master=E2=80=99 branch would be by =E2=80=9Cgrafting=E2= =80=9D a new Nettle variant > ABI-compatible with 3.5.1, which is the one packages currently depend on. I still recommend upgrading to the latest version. There were an abi break in 3.6 (so you'd need to recompile lots of guix packages), but no incompatible changes to the (source level) api. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 25 14:17:03 2021 Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 18:17:03 +0000 Received: from localhost ([127.0.0.1]:39542 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPUXX-00079p-H8 for submit@debbugs.gnu.org; Thu, 25 Mar 2021 14:17:03 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:55603) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPUXS-00078a-S9 for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 14:16:59 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id C8C475C0113; Thu, 25 Mar 2021 14:16:53 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 25 Mar 2021 14:16:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=AN1LW834OhL8VIPJTaXi4scuasgP1RLEcQ3fJ1P8ocE=; b=Hq6C7wd9C9V8 njEh6EdalO03lTQ76Qh6Ubao53KTz3wQu4+60hyh9V+l6808DLvd1uVznf40W5En h/4rQ2buniYcwonukR/+GKA0zudj5K1a4pp4Dk86BSTxVpgCN9DzvZ8+uP7rkF2h imt4rp+ZBJ10ddsmpeU5QyEZNf9yIAU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=AN1LW834OhL8VIPJTaXi4scuasgP1RLEcQ3fJ1P8o cE=; b=SXsQxVdA0ksax5DraVxpNcOdw/GqKB8LmYgaFsBLxwogQpq9zNAwb5CIy qExErJVzjDC5YOi0vseJTyuVALybg3aSqHoZYSeJ/W+c367NMNytdfnoJHmuIY+3 6avP9xu988imN7HQZwNkSH1yZipxOxl0yVQkD4MIYprYmQimE9KYf8RAd3jRHLKv tBdUYPdRd1wflU+7AkN4o11diRiRBT2Io3hxouFkemKnMGk+lVLl0qADTjRMI5Iu 7/jBmzI2N+7iv2hEijIr2U9OtWzIiVcpvETtnktV2F+JwvdFtYfw6n2nqjFvKxSH Z/xmsvfW1kwgVth7QdEO7f0UjHTBQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudehtddgudduvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttdejnecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg htthgvrhhnpeegjeeggeehtddugfffuddtvdfffeffjeekffffveffheegvddvuedtffek jeejjeenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghm vg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id BC893108005F; Thu, 25 Mar 2021 14:16:51 -0400 (EDT) Date: Thu, 25 Mar 2021 14:16:50 -0400 From: Leo Famulari To: Niels =?iso-8859-1?Q?M=F6ller?= Subject: Re: bug#47222: Serious bug in Nettle's ecdsa_verify Message-ID: References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47222 Cc: Ludovic =?iso-8859-1?Q?Court=E8s?= , 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Thu, Mar 25, 2021 at 05:21:40PM +0100, Niels Möller wrote: > Changes to gostdsa and ed448 will not apply, since those curves didn't > exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to > refactoring when adding ed448. Okay. > > I’m asking because in Guix, the easiest way for us to deploy the fixes > > on the ‘master’ branch would be by “grafting” a new Nettle variant > > ABI-compatible with 3.5.1, which is the one packages currently depend on. > > I still recommend upgrading to the latest version. There were an abi > break in 3.6 (so you'd need to recompile lots of guix packages), but no > incompatible changes to the (source level) api. Unfortunately, non-ABI compatible upgrades of nettle cannot be done quickly in Guix. As you point out, we'd have to recompile over >10000 packages, and then we'd have to fix any breakage that might occur from the upgrade. We will have to try to cherry-pick the bug fix patches. From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 07:10:05 2021 Received: (at 47222) by debbugs.gnu.org; 6 Apr 2021 11:10:05 +0000 Received: from localhost ([127.0.0.1]:39367 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTjav-00081l-46 for submit@debbugs.gnu.org; Tue, 06 Apr 2021 07:10:05 -0400 Received: from mail.zaclys.net ([178.33.93.72]:50867) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTjat-00081D-Q7 for 47222@debbugs.gnu.org; Tue, 06 Apr 2021 07:10:04 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136B9vcI047022 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47222@debbugs.gnu.org>; Tue, 6 Apr 2021 13:09:57 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136B9vcI047022 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617707397; bh=eD5u1thn1KULsubH2NMEXE/5NNvZSPXyYkh3s9Obh7s=; h=Subject:From:To:Date:From; b=gYmTDYNdOCQN1lqrn3wLU+7O73GL13C6xoWAhKMG2LeIdutZT3XCnyEe/NMBXdc3H O3RSJ2YLvICD92r9A1o/Zs4HUg3DVKU9suSwzeeVgebRWePu8A15ICHDzP/hDOcDlx taQx3t2CJPQYWdsEeyTl84B4uZ1SBdyVHnWB2C3A= Message-ID: <082e0d953dd34519b597f675a72299c2e7a4917c.camel@zaclys.net> Subject: Serious bug in Nettle's ecdsa_verify From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: 47222@debbugs.gnu.org Date: Tue, 06 Apr 2021 13:09:57 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-HqmND3dOCn/wpek35qNA" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47222 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-HqmND3dOCn/wpek35qNA Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I am no expert cryptographer, it is likely that if I try backporting such patches I will get something wrong that introduces more flaws. https://security-tracker.debian.org/tracker/CVE-2021-20305 - no patch backported yet https://packages.ubuntu.com/source/focal/nettle - no patch backported either It would be best if Nettle adopted a forever (or almost) backwards compatible ABI from now on like curl (https://curl.se/libcurl/abi.html) so that such things don't happen again. Thank you, L=C3=A9o --=-HqmND3dOCn/wpek35qNA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBsQYUACgkQRaix6GvN EKakkBAAvmJ1Wl+TBstSjrbHZEx7m4daEkkuPMqLhGWZvaKZGn/N5EGZVMKQkjq+ vh7pzQkdr+9MZlkztnpp0r0FpB3oH1OT6EZSh62kWEe+uKgkJ7LxXeSM6rDScer3 5wvGfu+5u8KJQ55b+TKMdGkVdolUUC6Pt2yEPZF7ehmuxHqhBhC16qTfG4YlnZ1a eA6QBmhGqmndHY7ou/GKWM0TtKYFDh1EJAiPVluRHBrtiRlx2GZy0K9BSjmCVo2I YoqKUBXsI4CHLf4G4KInDTAil3duZPrTheENR7FAwJ1UcIQCHgJA4QCqCdVNt+BB 26fgVrYDXRTKt8iH9UeAY5Jo7m3rsUcjwpNatKLxyg8bGct8w+pfNjS0qsYkaQIU 9QDd4hig4vGrJvh9GRbRf9+DDLT5RPXkywgPG7Co0pBpCblgyGXpiZom5NDbNMej L5dpTdaJfyEPW4zxhnQDsYkGi/jafYYZG8GpK57Tya7HpA1V1/OcEmDHdSQRVcy8 R6TZ7K1mXTF4GqDL8GTRK5sn430efQ9r5KUvFU+J/42mpV6kOasHbUipFhJQ1MVV ztchyqxCUrtub1Ixs3oAUa7X/dkeScMP1HFPX3/SNP8RZhPnehM6Enb0Wh8H0DLg Zyjs2cAhH0UCcL+XVT2VVg6UhCcwMwULqFVaizGTONgNLYPUwUA= =yljb -----END PGP SIGNATURE----- --=-HqmND3dOCn/wpek35qNA-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 16 16:47:00 2021 Received: (at 47222) by debbugs.gnu.org; 16 Apr 2021 20:47:01 +0000 Received: from localhost ([127.0.0.1]:41783 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXVMi-0004AE-Ln for submit@debbugs.gnu.org; Fri, 16 Apr 2021 16:47:00 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXVMg-00049y-Ve for 47222@debbugs.gnu.org; Fri, 16 Apr 2021 16:46:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48104) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXVMb-00086L-CE; Fri, 16 Apr 2021 16:46:53 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39792 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lXVMa-0004Hz-TR; Fri, 16 Apr 2021 16:46:53 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 47222@debbugs.gnu.org Subject: Re: bug#47222: Serious bug in Nettle's ecdsa_verify References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> Date: Fri, 16 Apr 2021 22:46:50 +0200 In-Reply-To: ("Niels =?utf-8?Q?M=C3=B6ller=22's?= message of "Thu, 25 Mar 2021 17:21:40 +0100") Message-ID: <87im4m2c05.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47222 Cc: Mark H Weaver , Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi! (- Niels, - nettle-bugs) nisse@lysator.liu.se (Niels M=C3=B6ller) skribis: > Ludovic Court=C3=A8s writes: > >> Are there plans to make a new 3.5 release including these fixes? > > No, I don't plan any 3.5.x release. > >> Alternatively, could you provide guidance as to which commits should be >> cherry-picked in 3.5 for downstream distros? > > Look at the branch release-3.7-fixes > (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/). > The commits since 3.7.1 are the ones you need. > > Changes to gostdsa and ed448 will not apply, since those curves didn't > exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to > refactoring when adding ed448. I confirm these patches don=E2=80=99t apply, and I=E2=80=99m not comfortabl= e fiddling with that. Leo and I checked and found that Debian doesn=E2=80=99t have 3.5. Do other distros have backports of these patches to 3.5? If not, our options are: 1. to invest in the backport ourselves, with good peer review, ideally getting it stamped by Niels & co; 2. to wait until a full rebuild has come. It=E2=80=99s not an ideal situation. Thoughts? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 08 13:12:59 2022 Received: (at 47222-done) by debbugs.gnu.org; 8 Aug 2022 17:12:59 +0000 Received: from localhost ([127.0.0.1]:41839 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oL6JH-0008JS-1M for submit@debbugs.gnu.org; Mon, 08 Aug 2022 13:12:59 -0400 Received: from knopi.disroot.org ([178.21.23.139]:52528) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oL6JD-0008JI-Ae for 47222-done@debbugs.gnu.org; Mon, 08 Aug 2022 13:12:57 -0400 Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 7C7F945327 for <47222-done@debbugs.gnu.org>; Mon, 8 Aug 2022 19:12:53 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with UTF8SMTP id JQR3nbaF55Rr for <47222-done@debbugs.gnu.org>; Mon, 8 Aug 2022 19:12:52 +0200 (CEST) Mime-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1659978665; bh=dSkwj99f5zoR8armFQMYbFJofGH2c2VC1CrgpgaNhQk=; h=Date:To:Subject:From; b=dwX9dLH2PM09D/QWx51uS7U/0SvPXFoZKA07qWae8zkipVujw8xNAosqDK4iCfOhC xLSICuz2+qgkfbezH9iWYtgIbwySNXPwQ5cdq2Y3bZcTbdbxxIpLvkdkr2xx4I2uWg blK0fh5PgFLrT7VwPuWIq1KgvYA9uRBt+f3jq0E86WCaCU1Vxx8acYRlIkflepoMgp xP82aapcrbLQpKL4KpYOCSyXtSpbL2uH5BgycBk0QoTssDZXwcgL9lKDasUp/2Oqn9 mbvqI7bAf5TWV3WoacB1GVoTjykrrLOvLXSSlJeOd3vLdbKeAHxve2XRoYQq9E4Cmj Hw4TAb+Wfnf7g== Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Mon, 08 Aug 2022 18:11:05 +0100 Message-Id: To: <47222-done@debbugs.gnu.org> Subject: From: "(" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We now have nettle 3.7.3, so this isn't an issue anymore. Closing. -- ( Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty X-Debbugs-Envelope-To: 47222-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) We now have nettle 3.7.3, so this isn't an issue anymore. Closing. -- ( From unknown Wed Jun 18 23:08:49 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 06 Sep 2022 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator