Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 30 Jul 2016 10:16:58 -0400
From: Hanno Böck <>
To: Huzaifa Sidhpurwala <>
  Mitre CVE assign department <>
Subject: Re: CVE Request: nettle's RSA code is vulnerable to
 cache sharing related attacks

On Fri, 29 Jul 2016 14:19:38 +0530
Huzaifa Sidhpurwala <> wrote:

> The following whitepaper talks about libgcrypt's RSA code being
> vulnerable to a cache timing attack, which the paper claims is fixed
> in 1.6.3.
> It seems nettle is also vulnerable to this flaw. Which was confirmed
> by upstream via:
> The above link also contains a proposed patch, will be committed soon.

FYI, this patch had some unintended side effects:

They replaced GMP's mpz_powm with mpz_powm_sec, however the latter is
not equivalent. It requires odd moduli and will crash with a floating
point exception if the modulus is even.

This is actually a bug class that may turn out to be interesting, I
recently experienced something very similar (but more severe) in
matrixssl (writeup on that will follow as soon as I find time for it).
Bignum libraries have certain conditions on how their input is formed
and don't behave well if the input isn't what they expect. These
conditions usually make sense in the average use case, but not
neccessarily if an attacker can control some of the input.

Hanno Böck


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.