Bug 1135368 - (CVE-2019-11840) VUL-0: CVE-2019-11840: snapd: Keystream loop in amd64 assembly when overflowing 32-bit counter
VUL-0: CVE-2019-11840: snapd: Keystream loop in amd64 assembly when overflowi...
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Zygmunt Krynicki
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-05-16 14:15 UTC by Alexandros Toptsoglou
Modified: 2019-05-17 05:26 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-05-16 14:15:56 UTC

A flaw was found in  the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Upstream patch:




Comment 1 Alexandros Toptsoglou 2019-05-16 14:16:49 UTC
It seems that that snapd bundles salsa20
Comment 2 Alexandros Toptsoglou 2019-05-16 21:27:54 UTC
see also bsc#1135416
Comment 3 Zygmunt Krynicki 2019-05-17 05:26:36 UTC
The following text contains an analysis of the the impact of the CVE on snapd. The analysis was performed by Jamie Strandboge.

 jdstrand> snapd contains an embedded copy of golang-go.crypto with the
  affected code
 jdstrand> snapd doesn't import/use the salsa code directly, but does vendor
  golang-gopkg-macaroon.v1, which imports golang.org/x/crypto/nacl/secretbox
  which does import salsa and contains the affected salsa2020XORKeyStream.
  snapd uses secretbox.Open() and secretbox.Seal(), both of which use
  salsa.XORKeyStream() (which wraps salsa2020XORKeyStream) via the internal
  decrypt() and encrypt() functions, respectively. In macaroon.v1, encrypt() is
  only used via AddThirdPartyCaveat() and decrypt() via Verify().
  overlord/auth/auth.go in snapd uses Verify() in CheckMacaroon(),
  daemon/api.go uses CheckMacaroon() in UserFromRequest(), which is called by
  ServeHTTP(), the service used to process snap commands from the local system
  to the local snapd. This CVE does not affect decrypt() operations.
  AddThirdPartyCaveat() is only used in unit tests, but not in the binaries of
  snapd builds.
  For snapd, ignoring since only encryption operations (ie, secretbox.Seal())
  are affected with regard to loss of confidentiality/predictability and this
  function is only ever (ultimately) called via the snapd unit tests.

The embedded copy of the affected libraries will be refreshed in the next scheduled release (2.39.1).