oss-sec mailing list archives
Re: OpenSSL: bug in modular exponentiation
From: zugtprgfwprz () spornkuller de
Date: Thu, 22 Mar 2018 13:09:29 +0100
Hi Guido, On 20.03.2018 22:34, Guido Vranken wrote:
My bignum fuzzer (https://github.com/guidovranken/bignum-fuzzer) running on Google's oss-fuzz recently found a bug in affecting constant-time modular exponentiation.
Interesting -- could you confirm that the effect of this bug is a miscalculation? Or is it breaking the constant-time assertion?
OpenSSL does not treat this as a security vulnerability. This is a heads-up to developers who rely on the affected code so they can review the impact on their applications on a case-by-case basis.
Do you have a pointer as to where this was discussed? Do you consider it a security vulnerability? Can you give advice to developers of how to mitigate this kind of issue? Is it regarded a WONTFIX by OpenSSL or is it going to be fixed (just not treated as security-criticial)? If so, do you know the fix version? Cheers and best regards, Johannes
Current thread:
- OpenSSL: bug in modular exponentiation Guido Vranken (Mar 20)
- Re: OpenSSL: bug in modular exponentiation zugtprgfwprz (Mar 22)
- Re: OpenSSL: bug in modular exponentiation Guido Vranken (Mar 22)
- Re: OpenSSL: bug in modular exponentiation zugtprgfwprz (Mar 22)