CVE-2018-20187

NameCVE-2018-20187
DescriptionA side-channel issue was discovered in Botan before 2.9.0. An attacker capable of precisely measuring the time taken for ECC key generation may be able to derive information about the high bits of the secret key, as the function to derive the public point from the secret scalar uses an unblinded Montgomery ladder whose loop iteration count depends on the bitlength of the secret. This issue affects only key generation, not ECDSA signatures or ECDH key agreement.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs918732

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
botan (PTS)buster2.9.0-2fixed
bullseye2.17.3+dfsg-2fixed
bookworm2.19.3+dfsg-1fixed
sid, trixie2.19.4+dfsg-1fixed
botan1.10 (PTS)jessie, jessie (lts)1.10.8-2+deb8u2fixed
stretch (security), stretch (lts), stretch1.10.17-1+deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
botansourceexperimental2.9.0-1
botansource(unstable)2.9.0-2918732
botan1.10source(unstable)(not affected)

Notes

- botan1.10 <not-affected> (Vulnerable code introduced in 1.11.20)
https://github.com/randombit/botan/pull/1792
https://github.com/randombit/botan/commit/70aa7303acfff9eefc24598c289a84db3579ebd1
Search for package or bug name: Reporting problems