Bug 1217634

Summary: VUL-0: CVE-2023-49092: atuin: RustCrypto/RSA: Marvin Attack - potential key recovery through timing sidechannels
Product: [openSUSE] openSUSE Tumbleweed Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Soc Virnyl Estela <uncomfy+openbuildservice>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, filippo.bonazzi, security-team, smash_bz
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/386375/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1217629    
Bug Blocks:    

Description Carlos López 2023-11-29 09:31:44 UTC 
+++ This bug was initially created as a clone of Bug #1217629 +++

RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a
non-constant-time implementation, information about the private key is leaked
through timing information which is observable over the network. An attacker may
be able to use that information to recover the key. There is currently no fix
available. As a workaround, avoid using the RSA crate in settings where
attackers are able to observe timing information, e.g. local use on a
non-compromised computer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49092