- Package:
- opencryptoki
- Source:
- opencryptoki
- Description:
- PKCS#11 implementation (daemon)
- Submitter:
- Sylvain Beucler
- Date:
- 2025-06-20 07:37:02 UTC
- Severity:
- normal
- Tags:
Hi,
I'm part of the Debian LTS Team and I'm checking CVE-2024-0914 ("Marvin
Attack") reported last year:
CVE-2024-0914[0]:
| A timing side-channel vulnerability has been discovered in the
| opencryptoki package while processing RSA PKCS#1 v1.5 padded
| ciphertexts. This flaw could potentially enable unauthorized RSA
| ciphertext decryption or signing, even without access to the
| corresponding private key.
[0] https://security-tracker.debian.org/tracker/CVE-2024-0914
https://www.cve.org/CVERecord?id=CVE-2024-0914
Is there any plan to fix this in bookworm, or do we want to ignore this
vulnerability?
The LTS Team can help with this.
Checking
https://github.com/opencryptoki/opencryptoki/issues/731#issuecomment-1851436555
we'd probably need to backport a few pre-requisites that hardens
constant-time operations.
Backporting 3.23 could be another option. AFAICS the only reverse
dependency is tpm-tools.
What do you think?
Cheers!
Sylvain Beucler
Debian LTS Team
Hello Paulo, Do you have an opinion on this? :) Cheers! Sylvain Beucler Debian LTS Team