[Pkg-rust-maintainers] Bug#1057096: rust-rsa: CVE-2023-49092: RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels

Sat Oct 26 07:05:22 BST 2024

Control: affects 1057096 + rsopv

On Wed 2023-11-29 17:27:15 +0100, Salvatore Bonaccorso wrote:
> The following vulnerability was published for rust-rsa.
>
> CVE-2023-49092[0]:

My understanding is that we have other instances of the MARVIN attack
available in debian which have not yet been solved.  Those other
instances are *not* marked with an RC-critical severity.

For example, #1065683 is timing leakage for RSA decryption with
libgcrypt, and #1068418 is timing leakage for RSA decryption with
rust-openssl.  Both are severity: important, but 1057096 is severity:
grave, which is keeping rust-rsa from migrating to testing.

I would also like to see sidechannel-resistant RSA more widely
available, but i'm not sure what we gain from having the severity of
this bug elevated beyond the severity of the other issues.  In practice,
this is also keeping the non-affected parts of rust-rsa from being able
to migrate.

For example, this severity means that rsopv (a Rust implementation of
the signature-verification-only subset of the Stateless OpenPGP CLI)
cannot migrate into testing. (i've marked this bug as Affects: rsopv to
make this clear).  rsopv doesn't even implement RSA decryption.

Salvatore, would you object to setting the severity of this bug from
"grave" to "important", in line with the other MARVIN-related bug
reports?

  --dkg

PS I note that rust-rsa's upstream is indeed working on fixing this, but
   it hasn't been released yet, and i don't know when it will be:

   https://github.com/RustCrypto/RSA/pull/394
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20241026/d8a5dac6/attachment.sig>