[Buildroot] [PATCH 1/1] package/cryptopp: security bump to version 8.3.0
Peter Korsgaard
peter at korsgaard.com
Tue Dec 22 10:53:44 UTC 2020
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> - Fix CVE-2019-14318: Crypto++ 8.3.0 and earlier contains a timing side
> channel in ECDSA signature generation. This allows a local or remote
> attacker, able to measure the duration of hundreds to thousands of
> signing operations, to compute the private key used. The issue occurs
> because scalar multiplication in ecp.cpp (prime field curves, small
> leakage) and algebra.cpp (binary field curves, large leakage) is not
> constant time and leaks the bit length of the scalar among other
> information.
> - Update license hash due to the addition of ARM SHA1 and SHA256 asm
> implementation from Cryptogams
> https://github.com/weidai11/cryptopp/commit/1a63112faf5af60e0ebcc60654eef806e7f6f11a
> https://github.com/weidai11/cryptopp/commit/4c9ca6b723b5ec5aab7eec720ad4d22598abe941
> https://www.cryptopp.com/release830.html
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed to 2020.02.x, 2020.08.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list