GNU bug report logs - #47222
Serious bug in Nettle's ecdsa_verify

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Thu, 18 Mar 2021 00:24:01 UTC

Severity: important

Tags: security

Done: "(" <paren <at> disroot.org>

Bug is archived. No further changes may be made.

Full log

Message #24 received at 47222 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47222 <at> debbugs.gnu.org
Subject: Serious bug in Nettle's ecdsa_verify
Date: Tue, 06 Apr 2021 13:09:57 +0200

[Message part 1 (text/plain, inline)]

I am no expert cryptographer, it is likely that if I try backporting
such patches I will get something wrong that introduces more flaws.

https://security-tracker.debian.org/tracker/CVE-2021-20305 - no patch
backported yet
https://packages.ubuntu.com/source/focal/nettle - no patch backported
either

It would be best if Nettle adopted a forever (or almost) backwards
compatible ABI from now on like curl (https://curl.se/libcurl/abi.html)
so that such things don't happen again.

Thank you,
Léo

[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 2 years and 343 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #47222 Serious bug in Nettle's ecdsa_verify

GNU bug report logs - #47222
Serious bug in Nettle's ecdsa_verify