[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie

Hello, Guido,

Guido Günther <agx@sigxcpu.org> wrote:
> I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on
> https://dev.gnupg.org/D438 I backported what I deemed are the necessary
> patches. Does this look sane? 

I'm not GnuPG package maintainers, but one of upstream developers.
For me, it look sane.

Let me explain patches, just in case.

For GnuPG 2.0 and 2.1, it is fixed by libgcrypt.  In case of GnuPG 1.4,
it is fixed in 1.4.22.

For CVE-2017-7526, what we did is two things.

(1) Same computation

    It's by the commit:
    mpi: Same computation for square and multiply for mpi_pow.

(2) Exponent blinding

    It's D438.

The intention of (1) is to minimize the information to side channel(s).
The intention of (2) is to maximize the noise to side channel(s).

Either of (1) or (2) (or both) can mitigate the attack.  My own response
was (1)-only, but the authors of the paper suggested (2) is recommended.

In 1.4.22, we have both.

(2)-only makes sense.  And, it consists of three patches in GnuPG 1.4,
which is...

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch
> @@ -0,0 +1,71 @@
> +From: Marcus Brinkmann <mb@g10code.com>
> +Date: Fri, 7 Jul 2017 21:03:10 +0900
> +Subject: CVE-2017-7526: rsa: Add exponent blinding.

(a) This is a naive port from libgcrypt.

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch
> @@ -0,0 +1,53 @@
> +From: NIIBE Yutaka <gniibe@fsij.org>
> +Date: Fri, 7 Jul 2017 21:20:56 +0900
> +Subject: CVE-2017-7526: rsa: Allow different build directory.

(b) This is the fix because the patch (a) breaks building by another

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
> @@ -0,0 +1,46 @@
> +From: NIIBE Yutaka <gniibe@fsij.org>
> +Date: Fri, 7 Jul 2017 21:51:42 +0900
> +Subject: CVE-2017-7526: rsa: Reduce secmem pressure.

(c) This is a particular fix of GnuPG 1.4 over the patch (a).  This is
    important for GnuPG 1.4 to avoid regression.  Without this patch,
    the exponent blinding requires more "secure memory" for the crypto
    computation ("secure memory" is a small memory chunk which cannot be
    swapped out.)  In case of libgcrypt, secure memory handling is more
    robust, but for GnuPG 1.4, it might just fail.  So, I put this
    change.  With this change, it has no more memory pressure.

Reply to: