deps: float two (more) OpenSSL patches for DSA vulnerabilities #23965
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@415c3356 Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7487)
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486)
ryzokuken
approved these changes
Oct 30, 2018
tniessen
approved these changes
Oct 30, 2018
fhinkel
approved these changes
Oct 30, 2018
jasnell
approved these changes
Oct 30, 2018
|
Landed in c1e6703...213c7d2 |
Trott
pushed a commit
to Trott/io.js
that referenced
this pull request
Nov 4, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@415c3356 Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7487) PR-URL: nodejs#23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Trott
pushed a commit
to Trott/io.js
that referenced
this pull request
Nov 4, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: nodejs#23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q Ref: openssl/openssl#7486 Ref: openssl/openssl#7513 Ref: https://www.openssl.org/news/secadv/20181030.txt Ref: nodejs#23965 Upstream: openssl/openssl@a9cfb8c2 Upstream: openssl/openssl@43e6a58d Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) Original backport commit message: Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl/openssl#7513)
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 Ref: openssl/openssl#7512 Ref: nodejs#23965 Upstream: openssl/openssl@415c3356 Upstream: openssl/openssl@ebf65dbe Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7487) Original backport commit message: Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl/openssl#7512)
BridgeAR
pushed a commit
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@415c3356 Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7487) PR-URL: #23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
BridgeAR
pushed a commit
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: #23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
|
@rvagg IIUC this will be part of the next OpenSSL release, so I'm adding the dont-land-on label. Please correct me if I'm wrong. |
This was referenced Apr 23, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Build on from #23950 we have two more issues surrounding DSA.
One has a CVE, CVE-2018-0734 @ https://www.openssl.org/news/secadv/20181030.txt
The other runs into OpenSSL's severity-level policy for CVE assignment and doesn't quite make it so we don't have a CVE for it. openssl/openssl#7487
If this is accepted I'll put in a PR for 6 & 8 since they have different patches (for 1.0.2).
FWIW I don't believe any of these rise to much of a meaningful level of severity. We're seeing an expected wave of timing attack vulnerabilities being discovered because this is the hottest area for research right now (for good reason, it's fascinating!). But a lot of them are more academic in nature in that they require very specific circumstances to be able to build a successful attack. And in these cases I don't believe exploits have been published anywhere.
Still worth floating on our releases I reckon though. Erring on the side of security is what the vast majority of our users want to see us do.
/cc @nodejs/crypto @nodejs/security