oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures

From: Billy Brumley <bbrumley () gmail com>
Date: Fri, 9 Nov 2018 18:41:23 +0200
Could you please confirm the following commits are sufficient to fix CVE-2018-5407?


Elliptic curve scalar multiplication with timing attack defenses (CVE-2018-5407)
https://git.openssl.org/?p=openssl.git;a=commit;h=aab7c770353b1dc4ba045938c8fb446dd1c4531e

Address code style comments
https://git.openssl.org/?p=openssl.git;a=commit;h=f06437c751d6f6ec7f4176518e2897f44dd58eb0

ladder description: why it works
https://git.openssl.org/?p=openssl.git;a=commit;h=33588c930d39d67d1128794dc7c85bae71af24ad

Pass through
https://git.openssl.org/?p=openssl.git;a=commit;h=f916a735bcdce496cebc7653a8ad2e72b333405a

Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
https://git.openssl.org/?p=openssl.git;a=commit;h=b43ad53119c0ac2ecfa6e4356210ccda57e0d16b

Remove superfluous NULL checks. Add Andy's BN_FLG comment.
https://git.openssl.org/?p=openssl.git;a=commit;h=2172133d0dc58256bf776da074c0d1944fef15cb


It's a good start! But it's more than that. But it's Friday night so
it'll have to wait until Monday.

BBB
Previous By Date Next
Previous By Thread Next

Current thread: