[Pkg-rust-maintainers] Bug#1057096: rust-rsa: CVE-2023-49092: RUSTSEC-2023-0071: Marvin Attack: potential key recovery through timing sidechannels

Daniel Kahn Gillmor dkg at debian.org
Sun Oct 27 16:29:13 GMT 2024 

Control: severity 1057096 important

Hi Salvatore--

On Sat 2024-10-26 09:12:47 +0200, Salvatore Bonaccorso wrote:
> On Sat, Oct 26, 2024 at 02:05:22AM -0400, Daniel Kahn Gillmor wrote:
>> Control: affects 1057096 + rsopv
 […]
>> For example, this severity means that rsopv (a Rust implementation of
>> the signature-verification-only subset of the Stateless OpenPGP CLI)
>> cannot migrate into testing. (i've marked this bug as Affects: rsopv to
>> make this clear).  rsopv doesn't even implement RSA decryption.

> Thanks for asking. I can explain. Yes the other are not at RC level,
> the reason behind this was, the package is new and was not yet in a
> stable release, so aim to have it without the issue in trixie or not
> in trixie.

I understand this reasoning, and i sympathize.  But the side effect
seems to be that other, unaffected benficial uses of RSA (e.g. signature
verification) are blocked from entering Trixie, while Trixie remains
shipping similarly risky code from other toolkits.  (and by "similarly
risky" i mean "problematic in a programmatic, automated setting where an
oracle has access to ~microsecond timing information during decryption").

> I will not object if you plan to lower the severity, but it would have
> been nice to not introduce the package in trixie release once stable
> with the issue.

I agree, and i will continue pushing on rust-rsa upstream to adopt
constant-time code.  Maybe they can even land it in time for trixie,
which would be great!

But i'm reducing the severity from grave to important (in parity with
other codebases with the same problem) so that trixie could have the
benefit code making use of other (non-vulnerable) aspects of RSA.

Thanks for talking this over, and for all the work you do to keep Debian
in good health.  If you (or anyone on the security team) end up changing
your mind and decide that this is the wrong decision, and you want to
set the severity back to grave, i won't object.

All the best,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20241027/5b310bbb/attachment-0001.sig>

More information about the Pkg-rust-maintainers mailing list