GNU bug report logs - #47222
Serious bug in Nettle's ecdsa_verify

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Thu, 18 Mar 2021 00:24:01 UTC

Severity: important

Tags: security

Done: "(" <paren <at> disroot.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Niels Möller <nisse <at> lysator.liu.se>
Cc: 47222 <at> debbugs.gnu.org, nettle-bugs <at> lists.lysator.liu.se
Subject: bug#47222: Serious bug in Nettle's ecdsa_verify
Date: Thu, 25 Mar 2021 10:51:51 +0100

Hi Niels,

> I've prepared a new bug-fix release of Nettle, a low-level
> cryptographics library, to fix a serious bug in the function to verify
> ECDSA signatures. Implications include an assertion failure, which could
> be used for denial-of-service, when verifying signatures on the
> secp_224r1 and secp521_r1 curves. More details in NEWS file below.
>
> Upgrading is strongly recomended.

Are there plans to make a new 3.5 release including these fixes?
Alternatively, could you provide guidance as to which commits should be
cherry-picked in 3.5 for downstream distros?

I’m asking because in Guix, the easiest way for us to deploy the fixes
on the ‘master’ branch would be by “grafting” a new Nettle variant
ABI-compatible with 3.5.1, which is the one packages currently depend on.

Thanks in advance,
Ludo’.
This bug report was last modified 2 years and 285 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.