Discover Government News

Arch Linux Security Advisory ASA-201602-5
========================================
Severity: Medium
Date    : 2016-02-03
CVE-ID  : CVE-2015-8803 CVE-2015-8804 CVE-2015-8805
Package : nettle
Type    : improper cryptographic calculations
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package nettle before version 3.2-1 is vulnerable to improper
cryptographic calculations with unspecified impact.

Resolution
=========
Upgrade to 3.2-1.

# pacman -Syu "nettle>=3.2-1"

The problems have been fixed upstream in version 3.2-1.

Workaround
=========
None.

Description
==========
- CVE-2015-8803 CVE-2015-8804 CVE-2015-8805
  (improper cryptographic calculations)

It has been discovered that multiple carry propagation bugs are
producing wrong results in calculations. They affect the NIST P-256 and
P-384 curves. The P-256 bug is in the C code and affects multiple
architectures. The P-384 bug is in the assembly code and only affects 64
bit x86. The computation compiles a certain curve point with 1, which
should not change the coordinates, however it does.

Impact
=====
The impact is currently unclear, but miscalculations in cryptographic
functions are classified as security issues.

References
=========
https://access.redhat.com/security/cve/CVE-2015-8803
https://access.redhat.com/security/cve/CVE-2015-8804
https://access.redhat.com/security/cve/CVE-2015-8805
https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html

ArchLinux: 201602-5: nettle: improper cryptographic calculations

February 3, 2016

Summary

- CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 (improper cryptographic calculations) It has been discovered that multiple carry propagation bugs are producing wrong results in calculations. They affect the NIST P-256 and P-384 curves. The P-256 bug is in the C code and affects multiple architectures. The P-384 bug is in the assembly code and only affects 64 bit x86. The computation compiles a certain curve point with 1, which should not change the coordinates, however it does.

Resolution

Upgrade to 3.2-1. # pacman -Syu "nettle>=3.2-1"
The problems have been fixed upstream in version 3.2-1.

References

https://access.redhat.com/security/cve/CVE-2015-8803 https://access.redhat.com/security/cve/CVE-2015-8804 https://access.redhat.com/security/cve/CVE-2015-8805 https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html

Severity
Package : nettle
Type : improper cryptographic calculations
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News