New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 846296 link

Starred by 2 users
Status: Fixed
Owner:
jorgelo@chromium.org
Closed: Aug 30
Cc:
adityakali@google.com
rkolchmeyer@google.com
wonderfly@google.com
sawlani@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in dev-libs/openssl

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, May 24 2018 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: dev-libs/openssl
Package Version: [cpe:/a:openssl:openssl:1.0.2n]

Advisory: CVE-2018-0737
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2018-0737
  CVSS severity score: 4.3/10.0
  Confidence: high
  Description:

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

Comment 1 by kerrnel@chromium.org, May 24 2018

Components: OS>Packages
Labels: -ComponentOSKernel Security_Severity-Medium
Owner: adityakali@google.com
Status: Assigned (was: Untriaged)

Comment 2 by kerrnel@chromium.org, May 24 2018

Labels: M-68 Security_Impact-Stable

Comment 3 by adityakali@google.com, May 24 2018

Owner: rkolchmeyer@google.com
Duplicate of b/80231449.
Assigning to rkolchmeyer@ (our current security oncall).

Comment 4 by rkolchmeyer@google.com, May 24 2018

Cc: adityakali@google.com

Comment 5 by vapier@chromium.org, May 25 2018

Cc: sawlani@chromium.org
we're updating to 1.0.2o here:
  https://chromium-review.googlesource.com/1048867

but the fix is going to be in 1.0.2p which isn't yet released.  not sure we need to backport the patch by hand ?  just wait for the release ?

Comment 6 by mnissler@chromium.org, May 25 2018 

At least for Chrome OS proper, given that it's not trivial for attackers to gain native code execution (which I assume would be needed to perform reliably cache timing), this doesn't seem super severe. Malicious Android apps might be a vector, at least for targeted attacks? Still requires the user to install the malicious app.

Bottom line: IMHO waiting for 1.0.2p release is reasonable.

Comment 7 by vapier@chromium.org, May 25 2018 

upgrading OpenSSL in CrOS wouldn't matter to Android as they ship their own stuff, and random apps also bundle their own code

native OpenSSL matters more to groups like COS for the reasons Mattias noted

Comment 8 by mnissler@chromium.org, May 25 2018 

Android could mount a cache timing attack against key generation taking place on the Chrome OS side though, so it is relevant as an attack vector.
Project Member

Comment 9 by sheriffbot@chromium.org, May 25 2018

Labels: -Pri-2 Pri-1

Comment 10 by rkolchmeyer@google.com, May 25 2018 

Given that OpenSSL considers this to be low severity (https://www.openssl.org/news/secadv/20180416.txt), I think it should probably be ok to wait for the next OpenSSL release.
Project Member

Comment 11 by sheriffbot@chromium.org, Jun 9 2018 

rkolchmeyer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by rkolchmeyer@google.com, Jun 11 2018 

OpenSSL 1.0.2p has not yet been released (1.0.2 release notes can be seen here https://www.openssl.org/news/openssl-1.0.2-notes.html). Still waiting for 1.0.2p to be released.
Project Member

Comment 13 by sheriffbot@chromium.org, Jun 26 2018 

rkolchmeyer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by allenwebb@chromium.org, Aug 7 

1.0.2-p is still not released as of now.
For the current change log see: https://www.openssl.org/news/cl102.txt

Comment 15 by jorgelo@chromium.org, Aug 24 

Would it make sense to just backport the patch?

Comment 16 by rkolchmeyer@google.com, Aug 24

Owner: wonderfly@google.com
1.0.2p has been released. wonderfly@ is working on the update: b/80231449

Comment 17 by wonderfly@google.com, Aug 24

Cc: rkolchmeyer@google.com
Yes, https://crrev.com/c/1185894 in CQ.

Comment 18 by jorgelo@chromium.org, Aug 24 

Cool, feel free to close this once that lands.

Comment 19 by wonderfly@google.com, Aug 29 

Forgot to attach this bug on the CL, but it's been merged to head (m70). https://crrev.com/c/1185894

I am going to work on backporting it to M69, which as per COS' security policy is enough. Do you want it in M68 for CrOS?
Project Member

Comment 20 by bugdroid1@chromium.org, Aug 30

Labels: merge-merged-release-R69-10895.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/a80cec4bb03a57e5de6be77635c3f41d748195e4

commit a80cec4bb03a57e5de6be77635c3f41d748195e4
Author: Daniel Wang <wonderfly@google.com>
Date: Thu Aug 30 03:28:22 2018

openssl: version bump to 1.0.2p

BUG=b:80231449,b:112454698, chromium:846296 
TEST=precq passes

Change-Id: Icbd612d53bfc983a7051ea499037ab139213b4b9
Reviewed-on: https://chromium-review.googlesource.com/1185894
Commit-Ready: Daniel Wang <wonderfly@google.com>
Tested-by: Daniel Wang <wonderfly@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
(cherry picked from commit cd4c4ae3baf80feb319b5307d114bcc673b61f3d)
Reviewed-on: https://chromium-review.googlesource.com/1196123
Commit-Queue: Daniel Wang <wonderfly@google.com>

[add] https://crrev.com/a80cec4bb03a57e5de6be77635c3f41d748195e4/dev-libs/openssl/openssl-1.0.2p-r1.ebuild
[rename] https://crrev.com/a80cec4bb03a57e5de6be77635c3f41d748195e4/dev-libs/openssl/openssl-1.0.2p.ebuild
[modify] https://crrev.com/a80cec4bb03a57e5de6be77635c3f41d748195e4/dev-libs/openssl/Manifest

Comment 21 by wonderfly@google.com, Aug 30

Cc: -sawlani@chromium.org wonderfly@google.com sawlani@google.com
Owner: jorgelo@chromium.org
Landed in M69. Let'll let Jorge decide whether this needs to go in M68.

Comment 22 by jorgelo@chromium.org, Aug 30

Status: Fixed (was: Assigned)
I don't think infoleak needs to be patched beyond 69, given how close we're to 69.
Project Member

Comment 23 by sheriffbot@chromium.org, Aug 31

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 24 by sheriffbot@chromium.org, Dec 7

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment