ArchLinux: 201912-3: crypto++: private key recovery

    Date10 Dec 2019
    CategoryArchLinux
    186
    Posted ByLinuxSecurity Advisories
    The package crypto++ before version 8.2.0-2 is vulnerable to private key recovery.
    Arch Linux Security Advisory ASA-201912-3
    =========================================
    
    Severity: High
    Date    : 2019-12-06
    CVE-ID  : CVE-2019-14318
    Package : crypto++
    Type    : private key recovery
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1046
    
    Summary
    =======
    
    The package crypto++ before version 8.2.0-2 is vulnerable to private
    key recovery.
    
    Resolution
    ==========
    
    Upgrade to 8.2.0-2.
    
    # pacman -Syu "crypto++>=8.2.0-2"
    
    The problem has been fixed upstream but no release is available yet.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A vulnerability has been found in the ECDSA/EdDSA implementation of
    crypto++ up to 8.2.0, allowing for practical recovery of the long-term
    private key.
    
    Impact
    ======
    
    An attacker might be able to recover long-term private key by measuring
    the duration of hundreds to thousands of signing operations of known
    messages.
    
    References
    ==========
    
    https://seclists.org/oss-sec/2019/q4/3
    https://minerva.crocs.fi.muni.cz/
    https://github.com/weidai11/cryptopp/issues/869
    https://github.com/weidai11/cryptopp/pull/870/commits/80c59bcdb251043f27eef95a4f31224c4615c3ec
    https://github.com/weidai11/cryptopp/commit/c9ef9420e762
    https://security.archlinux.org/CVE-2019-14318
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"5","type":"x","order":"1","pct":100,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.