Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: libgcrypt20@packages.debian.org Please unblock package libgcrypt20. Compared to 1.8.7-3 this pulls a 4 commits from 1.8.8, including 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch (CVE-2021-33560) which fixes weak ElGamal encryption with keys *not* generated by libgcrypt/gnupg. It does not warrant a DSA (already doublechecked with debian-security) but should still be fixed. I will also prepare an upload for buster. unblock libgcrypt20/1.8.7-6 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -Nru libgcrypt20-1.8.7/debian/changelog libgcrypt20-1.8.7/debian/changelog
--- libgcrypt20-1.8.7/debian/changelog 2021-02-14 15:27:13.000000000 +0100
+++ libgcrypt20-1.8.7/debian/changelog 2021-05-27 18:07:38.000000000 +0200
@@ -1,3 +1,26 @@
+libgcrypt20 (1.8.7-6) unstable; urgency=medium
+
+ * Update from LIBGCRYPT-1.8-BRANCH:
+ + 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 27 May 2021 18:07:38 +0200
+
+libgcrypt20 (1.8.7-5) unstable; urgency=medium
+
+ * Pull fix for ECC decyryption regression (caused by
+ 30_08-ecc-Check-the-input-length-for-the-point.patch) from
+ LIBGCRYPT-1.8-BRANCH. Closes: #987956
+
+ -- Andreas Metzler <ametzler@debian.org> Thu, 06 May 2021 18:06:14 +0200
+
+libgcrypt20 (1.8.7-4) unstable; urgency=medium
+
+ * Update from LIBGCRYPT-1.8-BRANCH:
+ + 30_07-Fix-previous-commit.patch
+ + 30_08-ecc-Check-the-input-length-for-the-point.patch
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 02 May 2021 13:58:47 +0200
+
libgcrypt20 (1.8.7-3) unstable; urgency=medium
* Update from LIBGCRYPT-1.8-BRANCH:
diff -Nru libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch
--- libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch 2021-05-02 13:52:17.000000000 +0200
@@ -0,0 +1,41 @@
+From a5799f1618aaf1bbb52e7e121275228dd4a3ac8b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Sun, 14 Feb 2021 18:54:40 +0100
+Subject: [PATCH 7/8] Fix previous commit
+
+* src/global.c (_gcry_get_config): Append the Nul only in the !what
+case.
+--
+
+Fixes-commit: 3f42f727a0699f7274a99ea39def7f9b4c3b0c1e
+Actually this was my fault - I stripped off the test which Jussi did in
+his original fix on master. And did not run make check.
+
+Signed-off-by: Werner Koch <wk@gnupg.org>
+---
+ src/global.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/global.c b/src/global.c
+index 7d634095..95daedac 100644
+--- a/src/global.c
++++ b/src/global.c
+@@ -419,8 +419,13 @@ _gcry_get_config (int mode, const char *what)
+
+ print_config (what, fp);
+
+- /* Make sure the output is null terminated. */
+- gpgrt_fwrite ("", 1, 1, fp);
++ /* Make sure the output is null terminated if no specific item was
++ * requested. This is needed because tests/version.c expects that
++ * the function fails with the !data case below. For the specific
++ * test an extra nul is not required because we always have a LF
++ * which is then replaced right at the end of this function. */
++ if (!what)
++ gpgrt_fwrite ("", 1, 1, fp);
+
+ if (gpgrt_ferror (fp))
+ {
+--
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch
--- libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch 2021-05-02 13:52:32.000000000 +0200
@@ -0,0 +1,80 @@
+From 3f48e3ea37adf84aae7335b8367012d70bb3f132 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 27 Apr 2021 17:24:16 +0900
+Subject: [PATCH 8/8] ecc: Check the input length for the point.
+
+* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
+of valid point representation.
+
+--
+
+Backport the commit of master:
+
+ 060c378c050e7ec6206358c681a313d6e1967dcf
+
+In the use case of GnuPG, ECDH decryption for anonymous recipient may
+try to decrypt with different curves. When the input data of
+ephemeral key does not match one of the private key, it should return
+GPG_ERR_INV_OBJ.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/ecc-misc.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
+index 34dd6804..b89dcfa6 100644
+--- a/cipher/ecc-misc.c
++++ b/cipher/ecc-misc.c
+@@ -294,6 +294,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
+ {
+ unsigned char *rawmpi;
+ unsigned int rawmpilen;
++ unsigned int nbytes = (ctx->nbits+7)/8;
+
+ if (mpi_is_opaque (pk))
+ {
+@@ -305,27 +306,36 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
+ return GPG_ERR_INV_OBJ;
+ rawmpilen = (rawmpilen + 7)/8;
+
+- if (rawmpilen > 1 && (rawmpilen%2) && buf[0] == 0x40)
++ if (rawmpilen == nbytes + 1
++ && (buf[0] == 0x00 || buf[0] == 0x40))
+ {
+ rawmpilen--;
+ buf++;
+ }
++ else if (rawmpilen > nbytes)
++ return GPG_ERR_INV_OBJ;
+
+- rawmpi = xtrymalloc (rawmpilen? rawmpilen:1);
++ rawmpi = xtrymalloc (nbytes);
+ if (!rawmpi)
+ return gpg_err_code_from_syserror ();
+
+ p = rawmpi + rawmpilen;
+ while (p > rawmpi)
+ *--p = *buf++;
++
++ if (rawmpilen < nbytes)
++ memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen);
+ }
+ else
+ {
+- unsigned int nbytes = (ctx->nbits+7)/8;
+-
+ rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
+ if (!rawmpi)
+ return gpg_err_code_from_syserror ();
++ if (rawmpilen > nbytes + 1)
++ {
++ xfree (rawmpi);
++ return GPG_ERR_INV_OBJ;
++ }
+ /*
+ * It is not reliable to assume that 0x40 means the prefix.
+ *
+--
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch
--- libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch 2021-05-06 18:03:55.000000000 +0200
@@ -0,0 +1,31 @@
+From bd662c090bd4a45cc830de9e42e96dd0f8e1f702 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 6 May 2021 12:35:19 +0900
+Subject: [PATCH] ecc: Fix the previous commit.
+
+* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.
+
+--
+
+GnuPG-bug-id: 5423
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/ecc-misc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
+index b89dcfa6..0c387c27 100644
+--- a/cipher/ecc-misc.c
++++ b/cipher/ecc-misc.c
+@@ -331,7 +331,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
+ rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
+ if (!rawmpi)
+ return gpg_err_code_from_syserror ();
+- if (rawmpilen > nbytes + 1)
++ if (rawmpilen > nbytes + BYTES_PER_MPI_LIMB)
+ {
+ xfree (rawmpi);
+ return GPG_ERR_INV_OBJ;
+--
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
--- libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch 1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch 2021-05-27 14:19:07.000000000 +0200
@@ -0,0 +1,105 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+ 632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+ 74386120dad6b3da62db37f7044267c8ef34689b
+ 78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+ Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+ "On the (in)security of ElGamal in OpenPGP";
+ in the proceedings of CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+
+
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+ gcry_mpi_t **factors);
+ static int check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+
+ /****************
+ * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1. With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+ */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+ gcry_mpi_t k = mpi_alloc_secure( 0 );
+ gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+ unsigned int nbits, nbytes;
+ char *rndbuf = NULL;
+
+- if (small_k)
+- {
+- /* Using a k much lesser than p is sufficient for encryption and
+- * it greatly improves the encryption performance. We use
+- * Wiener's table and add a large safety margin. */
+- nbits = wiener_map( orig_nbits ) * 3 / 2;
+- if( nbits >= orig_nbits )
+- BUG();
+- }
+- else
+- nbits = orig_nbits;
+-
++ nbits = orig_nbits;
+
+ nbytes = (nbits+7)/8;
+ if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ * error code.
+ */
+
+- k = gen_k( pkey->p, 1 );
++ k = gen_k( pkey->p );
+ mpi_powm (a, pkey->g, k, pkey->p);
+
+ /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+ *
+ */
+ mpi_sub_ui(p_1, p_1, 1);
+- k = gen_k( skey->p, 0 /* no small K ! */ );
++ k = gen_k( skey->p );
+ mpi_powm( a, skey->g, k, skey->p );
+ mpi_mul(t, skey->x, a );
+ mpi_subm(t, input, t, p_1 );
+--
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/series libgcrypt20-1.8.7/debian/patches/series
--- libgcrypt20-1.8.7/debian/patches/series 2021-02-14 13:46:10.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/series 2021-05-27 14:19:10.000000000 +0200
@@ -8,3 +8,7 @@
30_04-Fix-ubsan-warnings-for-i386-build.patch
30_05-Add-handling-for-Og-with-O-flag-munging.patch
30_06-Make-sure-the-grcy_get_config-string-is-always-null-.patch
+30_07-Fix-previous-commit.patch
+30_08-ecc-Check-the-input-length-for-the-point.patch
+30_09-ecc-Fix-the-previous-commit.patch
+30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
Attachment:
signature.asc
Description: PGP signature