Bug#989422: buster-pu: package libgcrypt20/1.8.4-5+deb10u1

[Andreas Metzler <ametzler@bebt.de>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libgcrypt20@packages.debian.org,security@debian.org


Hello,

I would like to fix the non-DSA CVE-2021-33560 for buster by
cherrypicking the respective commit from 1.8.8. This is about weak
ElGamal encyption when a key not generated by libgcrypt/gnupg is used.

This was fixed in unstable's 1.8.7-6, with bullseye unblock request
#989421 sent a couple of minutes ago.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru libgcrypt20-1.8.4/debian/changelog libgcrypt20-1.8.4/debian/changelog
--- libgcrypt20-1.8.4/debian/changelog	2019-01-20 14:47:23.000000000 +0100
+++ libgcrypt20-1.8.4/debian/changelog	2021-05-29 13:32:02.000000000 +0200
@@ -1,3 +1,11 @@
+libgcrypt20 (1.8.4-5+deb10u1) buster; urgency=medium
+
+  * 31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch from
+    upstream LIBGCRYPT-1.8-BRANCH: Fix weak ElGamal encryption with keys *not*
+    generated by GnuPG/libgcrypt. CVE-2021-33560
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 29 May 2021 13:32:02 +0200
+
 libgcrypt20 (1.8.4-5) unstable; urgency=medium
 
   * 30_doc-Fix-library-initialization-examples.patch from upstream
diff -Nru libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch
--- libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch	2021-05-29 13:16:14.000000000 +0200
@@ -0,0 +1,105 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+	632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+	74386120dad6b3da62db37f7044267c8ef34689b
+	78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
++  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
++  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
++    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
+-- 
+2.30.2
+
diff -Nru libgcrypt20-1.8.4/debian/patches/series libgcrypt20-1.8.4/debian/patches/series
--- libgcrypt20-1.8.4/debian/patches/series	2019-01-20 13:32:08.000000000 +0100
+++ libgcrypt20-1.8.4/debian/patches/series	2021-05-29 13:16:54.000000000 +0200
@@ -2,3 +2,4 @@
 15_multiarchpath_in_-L.diff
 25_norevisionfromgit.diff
 30_doc-Fix-library-initialization-examples.patch
+31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch

Attachment: signature.asc
Description: PGP signature