Add changelog entry for mbedtls_mpi_write_binary fix

commit: c12113a61aab40aba365f5d6abbf971ba52dc6b8 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Thu Nov 29 12:46:05 2018 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Thu Nov 29 12:47:52 2018 +0100
tree: ff8e22896adcae8d5fd86958e74a10f7e871e236
parent: cc47d6c595ba6bb7e15713abe0b9361bf663bb97 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index a60799d..d336808 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -9,6 +9,13 @@
      RSA decryption (i.e. ciphersuites whose name contains RSA but not
      (EC)DH(E)). Reported by Eyal Ronen, Robert Gillham, Daniel Genkin, Adi
      Shamir, David Wong and Yuval Yarom. CVE-2018-19608
+   * In mbedtls_mpi_write_binary(), don't leak the exact size of the number
+     via branching and memory access patterns. An attacker who could submit
+     a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
+     of the decryption and not its result could nonetheless decrypt RSA
+     plaintexts and forge RSA signatures. Other asymmetric algorithms may
+     have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
+     Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
 
 Bugfix
     * Fix failure in hmac_drbg in the benchmark sample application, when
commit	c12113a61aab40aba365f5d6abbf971ba52dc6b8	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Nov 29 12:46:05 2018 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Nov 29 12:47:52 2018 +0100
tree	ff8e22896adcae8d5fd86958e74a10f7e871e236
parent	cc47d6c595ba6bb7e15713abe0b9361bf663bb97 [diff] [blame]