Fixing CVE-2017-7526 in for wheezy / jessie
Dear gnupg maintainers,
I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on
https://dev.gnupg.org/D438 I backported what I deemed are the necessary
patches. Does this look sane?
I'd be great if you could have a look at the attached debdiff. If this
looks sane I'm happy to port over things to as the patches should apply
to this version as well.
Cheers,
-- Guido
diff --git a/debian/changelog b/debian/changelog
index adf00944..d6848d64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+gnupg (1.4.12-7+deb7u9) wheezy-security; urgency=medium
+
+ * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch
+
+ -- Guido Günther <agx@sigxcpu.org> Mon, 28 Aug 2017 11:59:38 +0200
+
gnupg (1.4.12-7+deb7u8) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS Team.
diff --git a/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch
new file mode 100644
index 00000000..9c98ca5f
--- /dev/null
+++ b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch
@@ -0,0 +1,71 @@
+From: Marcus Brinkmann <mb@g10code.com>
+Date: Fri, 7 Jul 2017 21:03:10 +0900
+Subject: CVE-2017-7526: rsa: Add exponent blinding.
+
+* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
+nonce R for mpi_powm computation.
+
+--
+
+Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.
+
+Signed-off-by: Marcus Brinkmann <mb@g10code.com>
+---
+ cipher/rsa.c | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index c4d5161..78a6f87 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -29,6 +29,7 @@
+ #include <string.h>
+ #include "util.h"
+ #include "mpi.h"
++#include "../mpi/mpi-internal.h"
+ #include "cipher.h"
+ #include "rsa.h"
+
+@@ -325,14 +326,38 @@ secret(MPI output, MPI input, RSA_secret_key *skey )
+ # endif /* USE_BLINDING */
+
+ /* RSA secret operation: */
+- /* m1 = c ^ (d mod (p-1)) mod p */
++ MPI D_blind = mpi_alloc_secure (nlimbs);
++ MPI rr;
++ unsigned int rr_nbits;
++
++ rr_nbits = mpi_get_nbits (skey->p) / 4;
++ if (rr_nbits < 96)
++ rr_nbits = 96;
++ rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
++
++ /* d_blind = (d mod (p-1)) + (p-1) * r */
++ /* m1 = c ^ d_blind mod p */
++ randomize_mpi (rr, rr_nbits, 0);
++ mpi_set_highbit (rr, rr_nbits - 1);
+ mpi_sub_ui( h, skey->p, 1 );
++ mpi_mul ( D_blind, h, rr );
+ mpi_fdiv_r( h, skey->d, h );
+- mpi_powm( m1, input, h, skey->p );
+- /* m2 = c ^ (d mod (q-1)) mod q */
++ mpi_add ( D_blind, D_blind, h );
++ mpi_powm ( m1, input, D_blind, skey->p );
++
++ /* d_blind = (d mod (q-1)) + (q-1) * r */
++ /* m2 = c ^ d_blind mod q */
++ randomize_mpi (rr, rr_nbits, 0);
++ mpi_set_highbit (rr, rr_nbits - 1);
+ mpi_sub_ui( h, skey->q, 1 );
++ mpi_mul ( D_blind, h, rr );
+ mpi_fdiv_r( h, skey->d, h );
+- mpi_powm( m2, input, h, skey->q );
++ mpi_add ( D_blind, D_blind, h );
++ mpi_powm ( m2, input, D_blind, skey->q );
++
++ mpi_free ( rr );
++ mpi_free ( D_blind );
++
+ /* h = u * ( m2 - m1 ) mod q */
+ mpi_sub( h, m2, m1 );
+ if ( mpi_is_neg( h ) )
diff --git a/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch
new file mode 100644
index 00000000..c66ad3dd
--- /dev/null
+++ b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch
@@ -0,0 +1,53 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 7 Jul 2017 21:20:56 +0900
+Subject: CVE-2017-7526: rsa: Allow different build directory.
+
+* cipher/Makefile.am (AM_CPPFLAGS): Add mpi dirs.
+* cipher/rsa.c: Change include file.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/Makefile.am | 2 +-
+ cipher/Makefile.in | 2 +-
+ cipher/rsa.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/cipher/Makefile.am b/cipher/Makefile.am
+index a10af20..92ffe90 100644
+--- a/cipher/Makefile.am
++++ b/cipher/Makefile.am
+@@ -17,7 +17,7 @@
+ # along with this program; if not, see <http://www.gnu.org/licenses/>.
+ ## Process this file with automake to produce Makefile.in
+
+-AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl
++AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl -I$(top_srcdir)/mpi -I../mpi
+
+ if ! HAVE_DOSISH_SYSTEM
+ AM_CPPFLAGS += -DGNUPG_LIBDIR="\"$(libdir)/@PACKAGE@\""
+diff --git a/cipher/Makefile.in b/cipher/Makefile.in
+index a2a3fd1..6238cbb 100644
+--- a/cipher/Makefile.in
++++ b/cipher/Makefile.in
+@@ -299,7 +299,7 @@ target_alias = @target_alias@
+ top_build_prefix = @top_build_prefix@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+-AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl \
++AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl -I$(top_srcdir)/mpi -I../mpi \
+ $(am__append_1)
+ noinst_LIBRARIES = libcipher.a
+ libcipher_a_SOURCES = cipher.c pubkey.c md.c dynload.c bithelp.h des.c \
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 78a6f87..f454992 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -29,7 +29,7 @@
+ #include <string.h>
+ #include "util.h"
+ #include "mpi.h"
+-#include "../mpi/mpi-internal.h"
++#include "mpi-internal.h"
+ #include "cipher.h"
+ #include "rsa.h"
+
diff --git a/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
new file mode 100644
index 00000000..b338c360
--- /dev/null
+++ b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
@@ -0,0 +1,46 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 7 Jul 2017 21:51:42 +0900
+Subject: CVE-2017-7526: rsa: Reduce secmem pressure.
+
+* cipher/rsa.c (secret): Don't keep secmem.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/rsa.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index f454992..5894713 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -341,22 +341,29 @@ secret(MPI output, MPI input, RSA_secret_key *skey )
+ mpi_set_highbit (rr, rr_nbits - 1);
+ mpi_sub_ui( h, skey->p, 1 );
+ mpi_mul ( D_blind, h, rr );
++ mpi_free ( rr );
+ mpi_fdiv_r( h, skey->d, h );
+ mpi_add ( D_blind, D_blind, h );
++ mpi_free ( h );
+ mpi_powm ( m1, input, D_blind, skey->p );
+
++ h = mpi_alloc_secure (nlimbs);
++ rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
++
+ /* d_blind = (d mod (q-1)) + (q-1) * r */
+ /* m2 = c ^ d_blind mod q */
+ randomize_mpi (rr, rr_nbits, 0);
+ mpi_set_highbit (rr, rr_nbits - 1);
+ mpi_sub_ui( h, skey->q, 1 );
+ mpi_mul ( D_blind, h, rr );
++ mpi_free ( rr );
+ mpi_fdiv_r( h, skey->d, h );
+ mpi_add ( D_blind, D_blind, h );
++ mpi_free ( h );
+ mpi_powm ( m2, input, D_blind, skey->q );
+
+- mpi_free ( rr );
+ mpi_free ( D_blind );
++ h = mpi_alloc_secure (nlimbs);
+
+ /* h = u * ( m2 - m1 ) mod q */
+ mpi_sub( h, m2, m1 );
diff --git a/debian/patches/series b/debian/patches/series
index dc95e2c5..b81a7e5d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,6 @@ CVE-2015-1606.patch
0001-g10-Fix-checking-key-for-signature-validation.patch
0046-cipher-Improve-readability-by-using-a-macro.patch
0047-random-Hash-continuous-areas-in-the-csprng-pool.patch
+security/CVE-2017-7526-rsa-Add-exponent-blinding.patch
+security/CVE-2017-7526-rsa-Allow-different-build-directory.patch
+security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
Reply to: