Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie

To: Guido Günther <agx@sigxcpu.org>
Cc: pkg-gnupg-maint@lists.alioth.debian.org, debian-lts@lists.debian.org
Subject: Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Tue, 29 Aug 2017 09:57:51 +0900
Message-id: <[🔎] 87tw0rmbqo.fsf@iwagami.gniibe.org>
In-reply-to: <[🔎] 20170828101731.wgomqrs25sytrsi3@bogon.m.sigxcpu.org>
References: <[🔎] 20170828101731.wgomqrs25sytrsi3@bogon.m.sigxcpu.org>

Hello, Guido,

Guido Günther <agx@sigxcpu.org> wrote:
> I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on
> https://dev.gnupg.org/D438 I backported what I deemed are the necessary
> patches. Does this look sane? 

I'm not GnuPG package maintainers, but one of upstream developers.
For me, it look sane.

Let me explain patches, just in case.

For GnuPG 2.0 and 2.1, it is fixed by libgcrypt.  In case of GnuPG 1.4,
it is fixed in 1.4.22.

For CVE-2017-7526, what we did is two things.

(1) Same computation

    It's by the commit:
    12029f83fd0a
    mpi: Same computation for square and multiply for mpi_pow.

(2) Exponent blinding

    It's D438.

The intention of (1) is to minimize the information to side channel(s).
The intention of (2) is to maximize the noise to side channel(s).

Either of (1) or (2) (or both) can mitigate the attack.  My own response
was (1)-only, but the authors of the paper suggested (2) is recommended.

In 1.4.22, we have both.

(2)-only makes sense.  And, it consists of three patches in GnuPG 1.4,
which is...

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch
> @@ -0,0 +1,71 @@
> +From: Marcus Brinkmann <mb@g10code.com>
> +Date: Fri, 7 Jul 2017 21:03:10 +0900
> +Subject: CVE-2017-7526: rsa: Add exponent blinding.

(a) This is a naive port from libgcrypt.

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch
> @@ -0,0 +1,53 @@
> +From: NIIBE Yutaka <gniibe@fsij.org>
> +Date: Fri, 7 Jul 2017 21:20:56 +0900
> +Subject: CVE-2017-7526: rsa: Allow different build directory.

(b) This is the fix because the patch (a) breaks building by another
    directory.

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
> @@ -0,0 +1,46 @@
> +From: NIIBE Yutaka <gniibe@fsij.org>
> +Date: Fri, 7 Jul 2017 21:51:42 +0900
> +Subject: CVE-2017-7526: rsa: Reduce secmem pressure.

(c) This is a particular fix of GnuPG 1.4 over the patch (a).  This is
    important for GnuPG 1.4 to avoid regression.  Without this patch,
    the exponent blinding requires more "secure memory" for the crypto
    computation ("secure memory" is a small memory chunk which cannot be
    swapped out.)  In case of libgcrypt, secure memory handling is more
    robust, but for GnuPG 1.4, it might just fail.  So, I put this
    change.  With this change, it has no more memory pressure.
--

Reply to:

Follow-Ups:
- Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie
  - From: Guido Günther <agx@sigxcpu.org>

References:
- Fixing CVE-2017-7526 in for wheezy / jessie
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: Wheezy update of mercurial?
Next by Date: Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie
Previous by thread: Fixing CVE-2017-7526 in for wheezy / jessie
Next by thread: Re: [pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie
Index(es):
- Date
- Thread