Package: opencryptoki
X-Debbugs-CC: t...@security.debian.org, debian-...@lists.debian.org
Severity: grave
Tags: security
Hi,
I'm part of the Debian LTS Team and I'm checking CVE-2024-0914 ("Marvin
Attack") reported last year:
CVE-2024-0914[0]:
| A timing side-channel vulnerability has been discovered in the
| opencryptoki package while processing RSA PKCS#1 v1.5 padded
| ciphertexts. This flaw could potentially enable unauthorized RSA
| ciphertext decryption or signing, even without access to the
| corresponding private key.
[0] https://security-tracker.debian.org/tracker/CVE-2024-0914
https://www.cve.org/CVERecord?id=CVE-2024-0914
Is there any plan to fix this in bookworm, or do we want to ignore this
vulnerability?
The LTS Team can help with this.
Checking
https://github.com/opencryptoki/opencryptoki/issues/731#issuecomment-1851436555
we'd probably need to backport a few pre-requisites that hardens
constant-time operations.
Backporting 3.23 could be another option. AFAICS the only reverse
dependency is tpm-tools.
What do you think?
Cheers!
Sylvain Beucler
Debian LTS Team
