CVE-2024-0914

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.

References

Affected packages

Debian:11 / opencryptoki

Package

Name: opencryptoki
Purl: pkg:deb/debian/opencryptoki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.1+dfsg-3.2

3.23.0+dfsg-0.1

3.23.0+dfsg-0.2

3.23.0+dfsg-0.3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / opencryptoki

Package

Name: opencryptoki
Purl: pkg:deb/debian/opencryptoki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.1+dfsg-3.2

3.23.0+dfsg-0.1

3.23.0+dfsg-0.2

3.23.0+dfsg-0.3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / opencryptoki

Package

Name: opencryptoki
Purl: pkg:deb/debian/opencryptoki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.23.0+dfsg-0.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/opencryptoki/opencryptoki

Affected ranges

Type: GIT
Repo: https://github.com/opencryptoki/opencryptoki
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

32ab06ccecc9961fa8b6c73ba5e268df379375d4

Affected versions

v2.*

v2.3.2

v2.3.3

v2.4.3

v2.4.3.1

v3.*

v3.0

v3.1

v3.10.0

v3.11.0

v3.11.1

v3.12.0

v3.12.1

v3.13.0

v3.14.0

v3.15.0

v3.15.1

v3.16.0

v3.17.0

v3.18.0

v3.19.0

v3.2

v3.20.0

v3.21.0

v3.22.0

v3.3

v3.4

v3.4.1

v3.5

v3.6

v3.6.1

v3.6.2

v3.7.0

v3.8.0

v3.8.1

v3.8.2

v3.9.0