GNU bug report logs - #47222
Serious bug in Nettle's ecdsa_verify

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Thu, 18 Mar 2021 00:24:01 UTC

Severity: important

Tags: security

Done: "(" <paren <at> disroot.org>

Bug is archived. No further changes may be made.

Full log

Message #21 received at 47222 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Niels Möller <nisse <at> lysator.liu.se>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 47222 <at> debbugs.gnu.org,
 nettle-bugs <at> lists.lysator.liu.se
Subject: Re: bug#47222: Serious bug in Nettle's ecdsa_verify
Date: Thu, 25 Mar 2021 14:16:50 -0400

On Thu, Mar 25, 2021 at 05:21:40PM +0100, Niels Möller wrote:
> Changes to gostdsa and ed448 will not apply, since those curves didn't
> exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to
> refactoring when adding ed448.

Okay.

> > I’m asking because in Guix, the easiest way for us to deploy the fixes
> > on the ‘master’ branch would be by “grafting” a new Nettle variant
> > ABI-compatible with 3.5.1, which is the one packages currently depend on.
> 
> I still recommend upgrading to the latest version. There were an abi
> break in 3.6 (so you'd need to recompile lots of guix packages), but no
> incompatible changes to the (source level) api.

Unfortunately, non-ABI compatible upgrades of nettle cannot be done
quickly in Guix. As you point out, we'd have to recompile over >10000
packages, and then we'd have to fix any breakage that might occur from
the upgrade.

We will have to try to cherry-pick the bug fix patches.
This bug report was last modified 2 years and 285 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.