DescriptionA flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs985652

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nettle (PTS)stretch3.3-1vulnerable
bullseye, sid3.7.2-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - nettle <no-dsa> (Minor issue)
[stretch] - nettle <postponed> (Minor issue; can be fixed in next update)
New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical:
Use ecc_mod_mul_canonical for point comparison:
Fix bug in ecc_ecdsa_verify:
Ensure ecdsa_sign output is canonically reduced:
Analogous fix to ecc_gostdsa_verify:
Similar fix for eddsa:
Fix canonical reduction in gostdsa_vko:

Search for package or bug name: Reporting problems