Bug 961357

Summary: VUL-0: CVE-2015-7575: chromium: boringssl: Security Losses from Obsolete and Truncated Transcript Hashes
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Tomáš Chvátal <tchvatal>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: forgotten_sM9JzehKpy, jsegitz, meissner, security-team, tchvatal
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 42.1   
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 960996    

Description Andreas Stieger 2016-01-11 13:54:51 UTC 
+++ This bug was initially created as a clone of Bug #960996 +++

Karthikeyan Bhargavan and Gaetan Leurent identified a new class of transcript collision attacks on popular cryptographic protocols such as TLS, IKE, and SSH, that significantly reduce their expected security. 

http://www.mitls.org/pages/attacks/SLOTH
SLOTH - Security Losses from Obsolete and Truncated Transcript Hashes

Technical Paper: Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH, Karthikeyan Bhargavan and Gaetan Leurent, Network and Distributed System Security Symposium (NDSS 2016)
http://www.mitls.org/downloads/transcript-collisions.pdf

CVE-2015-7575 "assigned protocol level CVE"

This bug applies to boringssl, as bundled in Chromium:
./chromium-47.0.2526.106/third_party/boringssl/src/ssl/t1_lib.c

> const EVP_MD *tls12_get_hash(uint8_t hash_alg) {
>   switch (hash_alg) {
>     case TLSEXT_hash_md5:
>       return EVP_md5();
> /* ... */
> }


The equivalent OpenSSL fix:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a;hp=833a896681b3287e5ab9c01f4f0234691f4076a8
Comment 1 Swamp Workflow Management 2016-01-11 23:00:43 UTC 
bugbot adjusting priority
Comment 2 Tomáš Chvátal 2016-11-06 09:19:45 UTC 
Seems this was fixed in meantime...
At least I can't find it in chromium-56 code...
Could you please verify?
Comment 3 Marcus Meissner 2016-11-07 14:42:47 UTC 
code looks a bit different, but it explicitly skops md5 as signature alg _> considered fixed.