ArchLinux: 201912-3: crypto++: private key recovery

    Date10 Dec 2019
    CategoryArchLinux
    158
    Posted ByLinuxSecurity Advisories
    The package crypto++ before version 8.2.0-2 is vulnerable to private key recovery.
    Arch Linux Security Advisory ASA-201912-3
    =========================================
    
    Severity: High
    Date    : 2019-12-06
    CVE-ID  : CVE-2019-14318
    Package : crypto++
    Type    : private key recovery
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1046
    
    Summary
    =======
    
    The package crypto++ before version 8.2.0-2 is vulnerable to private
    key recovery.
    
    Resolution
    ==========
    
    Upgrade to 8.2.0-2.
    
    # pacman -Syu "crypto++>=8.2.0-2"
    
    The problem has been fixed upstream but no release is available yet.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A vulnerability has been found in the ECDSA/EdDSA implementation of
    crypto++ up to 8.2.0, allowing for practical recovery of the long-term
    private key.
    
    Impact
    ======
    
    An attacker might be able to recover long-term private key by measuring
    the duration of hundreds to thousands of signing operations of known
    messages.
    
    References
    ==========
    
    https://seclists.org/oss-sec/2019/q4/3
    https://minerva.crocs.fi.muni.cz/
    https://github.com/weidai11/cryptopp/issues/869
    https://github.com/weidai11/cryptopp/pull/870/commits/80c59bcdb251043f27eef95a4f31224c4615c3ec
    https://github.com/weidai11/cryptopp/commit/c9ef9420e762
    https://security.archlinux.org/CVE-2019-14318
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"82","type":"x","order":"1","pct":56.16,"resources":[]},{"id":"88","title":"Should be more technical","votes":"22","type":"x","order":"2","pct":15.07,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"42","type":"x","order":"3","pct":28.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.