From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 16 16:47:00 2021 Received: (at 47222) by debbugs.gnu.org; 16 Apr 2021 20:47:01 +0000 Received: from localhost ([127.0.0.1]:41783 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXVMi-0004AE-Ln for submit@debbugs.gnu.org; Fri, 16 Apr 2021 16:47:00 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXVMg-00049y-Ve for 47222@debbugs.gnu.org; Fri, 16 Apr 2021 16:46:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48104) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXVMb-00086L-CE; Fri, 16 Apr 2021 16:46:53 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39792 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lXVMa-0004Hz-TR; Fri, 16 Apr 2021 16:46:53 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 47222@debbugs.gnu.org Subject: Re: bug#47222: Serious bug in Nettle's ecdsa_verify References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> Date: Fri, 16 Apr 2021 22:46:50 +0200 In-Reply-To: ("Niels =?utf-8?Q?M=C3=B6ller=22's?= message of "Thu, 25 Mar 2021 17:21:40 +0100") Message-ID: <87im4m2c05.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47222 Cc: Mark H Weaver , Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi! (- Niels, - nettle-bugs) nisse@lysator.liu.se (Niels M=C3=B6ller) skribis: > Ludovic Court=C3=A8s writes: > >> Are there plans to make a new 3.5 release including these fixes? > > No, I don't plan any 3.5.x release. > >> Alternatively, could you provide guidance as to which commits should be >> cherry-picked in 3.5 for downstream distros? > > Look at the branch release-3.7-fixes > (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/). > The commits since 3.7.1 are the ones you need. > > Changes to gostdsa and ed448 will not apply, since those curves didn't > exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to > refactoring when adding ed448. I confirm these patches don=E2=80=99t apply, and I=E2=80=99m not comfortabl= e fiddling with that. Leo and I checked and found that Debian doesn=E2=80=99t have 3.5. Do other distros have backports of these patches to 3.5? If not, our options are: 1. to invest in the backport ourselves, with good peer review, ideally getting it stamped by Niels & co; 2. to wait until a full rebuild has come. It=E2=80=99s not an ideal situation. Thoughts? Ludo=E2=80=99.