Source: wolfssl Version: 5.7.0-0.3 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/wolfSSL/wolfssl/pull/7020 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for wolfssl. CVE-2024-1544[0]: | Generating the ECDSA nonce k samples a random number r and then | truncates this randomness with a modular reduction mod n where n is | the order of the elliptic curve. Meaning k = r mod n. The division | used during the reduction estimates a factor q_e by dividing the | upper two digits (a digit having e.g. a size of 8 byte) of r by the | upper digit of n and then decrements q_e in a loop until it has the | correct size. Observing the number of times q_e is decremented | through a control-flow revealing side-channel reveals a bias in the | most significant bits of k. Depending on the curve this is either a | negligible bias or a significant bias large enough to reconstruct k | with lattice reduction methods. For SECP160R1, e.g., we find a bias | of 15 bits. Note, I'm filling this with RC severity as all the recent uploads were done as NMU. Is wolfssl right now ok to be released for upcoming trixie or should we need to keep it out? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1544 https://www.cve.org/CVERecord?id=CVE-2024-1544 [1] https://github.com/wolfSSL/wolfssl/pull/7020 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
