[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#989421: unblock: libgcrypt20/1.8.7-6

Control: tgs -1 confirmed d-i

On 2021-06-03 13:23:02 +0200, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: libgcrypt20@packages.debian.org
> 
> Please unblock package libgcrypt20.
> 
> Compared to 1.8.7-3 this pulls a 4 commits from 1.8.8, including
> 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
> (CVE-2021-33560) which fixes weak ElGamal encryption with keys *not*
> generated by libgcrypt/gnupg. It does not warrant a DSA (already
> doublechecked with debian-security) but should still be fixed. I will
> also prepare an upload for buster.

ACK. Cyril, could you please (N)ACK for d-i?

Cheers

> 
> unblock libgcrypt20/1.8.7-6
> 
> cu Andreas
> -- 
> `What a good friend you are to him, Dr. Maturin. His other friends are
> so grateful to you.'
> `I sew his ears on from time to time, sure'

> diff -Nru libgcrypt20-1.8.7/debian/changelog libgcrypt20-1.8.7/debian/changelog
> --- libgcrypt20-1.8.7/debian/changelog	2021-02-14 15:27:13.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/changelog	2021-05-27 18:07:38.000000000 +0200
> @@ -1,3 +1,26 @@
> +libgcrypt20 (1.8.7-6) unstable; urgency=medium
> +
> +  * Update from LIBGCRYPT-1.8-BRANCH:
> +    + 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
> +
> + -- Andreas Metzler <ametzler@debian.org>  Thu, 27 May 2021 18:07:38 +0200
> +
> +libgcrypt20 (1.8.7-5) unstable; urgency=medium
> +
> +  * Pull fix for ECC decyryption regression (caused by
> +    30_08-ecc-Check-the-input-length-for-the-point.patch) from
> +    LIBGCRYPT-1.8-BRANCH. Closes: #987956
> +
> + -- Andreas Metzler <ametzler@debian.org>  Thu, 06 May 2021 18:06:14 +0200
> +
> +libgcrypt20 (1.8.7-4) unstable; urgency=medium
> +
> +  * Update from LIBGCRYPT-1.8-BRANCH:
> +    + 30_07-Fix-previous-commit.patch
> +    + 30_08-ecc-Check-the-input-length-for-the-point.patch
> +
> + -- Andreas Metzler <ametzler@debian.org>  Sun, 02 May 2021 13:58:47 +0200
> +
>  libgcrypt20 (1.8.7-3) unstable; urgency=medium
>  
>    * Update from LIBGCRYPT-1.8-BRANCH:
> diff -Nru libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch
> --- libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch	1970-01-01 01:00:00.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch	2021-05-02 13:52:17.000000000 +0200
> @@ -0,0 +1,41 @@
> +From a5799f1618aaf1bbb52e7e121275228dd4a3ac8b Mon Sep 17 00:00:00 2001
> +From: Werner Koch <wk@gnupg.org>
> +Date: Sun, 14 Feb 2021 18:54:40 +0100
> +Subject: [PATCH 7/8] Fix previous commit
> +
> +* src/global.c (_gcry_get_config): Append the Nul only in the !what
> +case.
> +--
> +
> +Fixes-commit: 3f42f727a0699f7274a99ea39def7f9b4c3b0c1e
> +Actually this was my fault - I stripped off the test which Jussi did in
> +his original fix on master.  And did not run make check.
> +
> +Signed-off-by: Werner Koch <wk@gnupg.org>
> +---
> + src/global.c | 9 +++++++--
> + 1 file changed, 7 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/global.c b/src/global.c
> +index 7d634095..95daedac 100644
> +--- a/src/global.c
> ++++ b/src/global.c
> +@@ -419,8 +419,13 @@ _gcry_get_config (int mode, const char *what)
> + 
> +   print_config (what, fp);
> + 
> +-  /* Make sure the output is null terminated. */
> +-  gpgrt_fwrite ("", 1, 1, fp);
> ++  /* Make sure the output is null terminated if no specific item was
> ++   * requested.  This is needed because tests/version.c expects that
> ++   * the function fails with the !data case below.  For the specific
> ++   * test an extra nul is not required because we always have a LF
> ++   * which is then replaced right at the end of this function.  */
> ++  if (!what)
> ++    gpgrt_fwrite ("", 1, 1, fp);
> + 
> +   if (gpgrt_ferror (fp))
> +     {
> +-- 
> +2.30.2
> +
> diff -Nru libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch
> --- libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch	1970-01-01 01:00:00.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch	2021-05-02 13:52:32.000000000 +0200
> @@ -0,0 +1,80 @@
> +From 3f48e3ea37adf84aae7335b8367012d70bb3f132 Mon Sep 17 00:00:00 2001
> +From: NIIBE Yutaka <gniibe@fsij.org>
> +Date: Tue, 27 Apr 2021 17:24:16 +0900
> +Subject: [PATCH 8/8] ecc: Check the input length for the point.
> +
> +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
> +of valid point representation.
> +
> +--
> +
> +Backport the commit of master:
> +
> +	060c378c050e7ec6206358c681a313d6e1967dcf
> +
> +In the use case of GnuPG, ECDH decryption for anonymous recipient may
> +try to decrypt with different curves.  When the input data of
> +ephemeral key does not match one of the private key, it should return
> +GPG_ERR_INV_OBJ.
> +
> +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
> +---
> + cipher/ecc-misc.c | 18 ++++++++++++++----
> + 1 file changed, 14 insertions(+), 4 deletions(-)
> +
> +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
> +index 34dd6804..b89dcfa6 100644
> +--- a/cipher/ecc-misc.c
> ++++ b/cipher/ecc-misc.c
> +@@ -294,6 +294,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
> + {
> +   unsigned char *rawmpi;
> +   unsigned int rawmpilen;
> ++  unsigned int nbytes = (ctx->nbits+7)/8;
> + 
> +   if (mpi_is_opaque (pk))
> +     {
> +@@ -305,27 +306,36 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
> +         return GPG_ERR_INV_OBJ;
> +       rawmpilen = (rawmpilen + 7)/8;
> + 
> +-      if (rawmpilen > 1 && (rawmpilen%2) && buf[0] == 0x40)
> ++      if (rawmpilen == nbytes + 1
> ++          && (buf[0] == 0x00 || buf[0] == 0x40))
> +         {
> +           rawmpilen--;
> +           buf++;
> +         }
> ++      else if (rawmpilen > nbytes)
> ++        return GPG_ERR_INV_OBJ;
> + 
> +-      rawmpi = xtrymalloc (rawmpilen? rawmpilen:1);
> ++      rawmpi = xtrymalloc (nbytes);
> +       if (!rawmpi)
> +         return gpg_err_code_from_syserror ();
> + 
> +       p = rawmpi + rawmpilen;
> +       while (p > rawmpi)
> +         *--p = *buf++;
> ++
> ++      if (rawmpilen < nbytes)
> ++        memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen);
> +     }
> +   else
> +     {
> +-      unsigned int nbytes = (ctx->nbits+7)/8;
> +-
> +       rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
> +       if (!rawmpi)
> +         return gpg_err_code_from_syserror ();
> ++      if (rawmpilen > nbytes + 1)
> ++        {
> ++          xfree (rawmpi);
> ++          return GPG_ERR_INV_OBJ;
> ++        }
> +       /*
> +        * It is not reliable to assume that 0x40 means the prefix.
> +        *
> +-- 
> +2.30.2
> +
> diff -Nru libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch
> --- libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch	1970-01-01 01:00:00.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch	2021-05-06 18:03:55.000000000 +0200
> @@ -0,0 +1,31 @@
> +From bd662c090bd4a45cc830de9e42e96dd0f8e1f702 Mon Sep 17 00:00:00 2001
> +From: NIIBE Yutaka <gniibe@fsij.org>
> +Date: Thu, 6 May 2021 12:35:19 +0900
> +Subject: [PATCH] ecc: Fix the previous commit.
> +
> +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.
> +
> +--
> +
> +GnuPG-bug-id: 5423
> +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
> +---
> + cipher/ecc-misc.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
> +index b89dcfa6..0c387c27 100644
> +--- a/cipher/ecc-misc.c
> ++++ b/cipher/ecc-misc.c
> +@@ -331,7 +331,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
> +       rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
> +       if (!rawmpi)
> +         return gpg_err_code_from_syserror ();
> +-      if (rawmpilen > nbytes + 1)
> ++      if (rawmpilen > nbytes + BYTES_PER_MPI_LIMB)
> +         {
> +           xfree (rawmpi);
> +           return GPG_ERR_INV_OBJ;
> +-- 
> +2.30.2
> +
> diff -Nru libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
> --- libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch	1970-01-01 01:00:00.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch	2021-05-27 14:19:07.000000000 +0200
> @@ -0,0 +1,105 @@
> +From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
> +From: NIIBE Yutaka <gniibe@fsij.org>
> +Date: Fri, 21 May 2021 11:15:07 +0900
> +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
> +
> +* cipher/elgamal.c (gen_k): Remove support of smaller K.
> +(do_encrypt): Never use smaller K.
> +(sign): Folllow the change of gen_k.
> +
> +--
> +
> +Cherry-pick master commit of:
> +	632d80ef30e13de6926d503aa697f92b5dbfbc5e
> +
> +This change basically reverts encryption changes in two commits:
> +
> +	74386120dad6b3da62db37f7044267c8ef34689b
> +	78531373a342aeb847950f404343a05e36022065
> +
> +Use of smaller K for ephemeral key in ElGamal encryption is only good,
> +when we can guarantee that recipient's key is generated by our
> +implementation (or compatible).
> +
> +For detail, please see:
> +
> +    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
> +    "On the (in)security of ElGamal in OpenPGP";
> +    in the proceedings of  CCS'2021.
> +
> +CVE-id: CVE-2021-33560
> +GnuPG-bug-id: 5328
> +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
> +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
> +---
> + cipher/elgamal.c | 24 ++++++------------------
> + 1 file changed, 6 insertions(+), 18 deletions(-)
> +
> +diff --git a/cipher/elgamal.c b/cipher/elgamal.c
> +index 4eb52d62..ae7a631e 100644
> +--- a/cipher/elgamal.c
> ++++ b/cipher/elgamal.c
> +@@ -66,7 +66,7 @@ static const char *elg_names[] =
> + 
> + 
> + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
> +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
> ++static gcry_mpi_t gen_k (gcry_mpi_t p);
> + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
> +                                  gcry_mpi_t **factors);
> + static int  check_secret_key (ELG_secret_key *sk);
> +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
> + 
> + /****************
> +  * Generate a random secret exponent k from prime p, so that k is
> +- * relatively prime to p-1.  With SMALL_K set, k will be selected for
> +- * better encryption performance - this must never be used signing!
> ++ * relatively prime to p-1.
> +  */
> + static gcry_mpi_t
> +-gen_k( gcry_mpi_t p, int small_k )
> ++gen_k( gcry_mpi_t p )
> + {
> +   gcry_mpi_t k = mpi_alloc_secure( 0 );
> +   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
> +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
> +   unsigned int nbits, nbytes;
> +   char *rndbuf = NULL;
> + 
> +-  if (small_k)
> +-    {
> +-      /* Using a k much lesser than p is sufficient for encryption and
> +-       * it greatly improves the encryption performance.  We use
> +-       * Wiener's table and add a large safety margin. */
> +-      nbits = wiener_map( orig_nbits ) * 3 / 2;
> +-      if( nbits >= orig_nbits )
> +-        BUG();
> +-    }
> +-  else
> +-    nbits = orig_nbits;
> +-
> ++  nbits = orig_nbits;
> + 
> +   nbytes = (nbits+7)/8;
> +   if( DBG_CIPHER )
> +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
> +    * error code.
> +    */
> + 
> +-  k = gen_k( pkey->p, 1 );
> ++  k = gen_k( pkey->p );
> +   mpi_powm (a, pkey->g, k, pkey->p);
> + 
> +   /* b = (y^k * input) mod p
> +@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
> +     *
> +     */
> +     mpi_sub_ui(p_1, p_1, 1);
> +-    k = gen_k( skey->p, 0 /* no small K ! */ );
> ++    k = gen_k( skey->p );
> +     mpi_powm( a, skey->g, k, skey->p );
> +     mpi_mul(t, skey->x, a );
> +     mpi_subm(t, input, t, p_1 );
> +-- 
> +2.30.2
> +
> diff -Nru libgcrypt20-1.8.7/debian/patches/series libgcrypt20-1.8.7/debian/patches/series
> --- libgcrypt20-1.8.7/debian/patches/series	2021-02-14 13:46:10.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/patches/series	2021-05-27 14:19:10.000000000 +0200
> @@ -8,3 +8,7 @@
>  30_04-Fix-ubsan-warnings-for-i386-build.patch
>  30_05-Add-handling-for-Og-with-O-flag-munging.patch
>  30_06-Make-sure-the-grcy_get_config-string-is-always-null-.patch
> +30_07-Fix-previous-commit.patch
> +30_08-ecc-Check-the-input-length-for-the-point.patch
> +30_09-ecc-Fix-the-previous-commit.patch
> +30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch




-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

Reply to: