[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989421: marked as done (unblock: libgcrypt20/1.8.7-6)

Your message dated Mon, 14 Jun 2021 20:01:36 +0000
with message-id <E1lssm8-0000ej-My@respighi.debian.org>
and subject line unblock libgcrypt20
has caused the Debian Bug report #989421,
regarding unblock: libgcrypt20/1.8.7-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989421
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libgcrypt20@packages.debian.org

Please unblock package libgcrypt20.

Compared to 1.8.7-3 this pulls a 4 commits from 1.8.8, including
30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
(CVE-2021-33560) which fixes weak ElGamal encryption with keys *not*
generated by libgcrypt/gnupg. It does not warrant a DSA (already
doublechecked with debian-security) but should still be fixed. I will
also prepare an upload for buster.

unblock libgcrypt20/1.8.7-6

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru libgcrypt20-1.8.7/debian/changelog libgcrypt20-1.8.7/debian/changelog
--- libgcrypt20-1.8.7/debian/changelog	2021-02-14 15:27:13.000000000 +0100
+++ libgcrypt20-1.8.7/debian/changelog	2021-05-27 18:07:38.000000000 +0200
@@ -1,3 +1,26 @@
+libgcrypt20 (1.8.7-6) unstable; urgency=medium
+
+  * Update from LIBGCRYPT-1.8-BRANCH:
+    + 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
+
+ -- Andreas Metzler <ametzler@debian.org>  Thu, 27 May 2021 18:07:38 +0200
+
+libgcrypt20 (1.8.7-5) unstable; urgency=medium
+
+  * Pull fix for ECC decyryption regression (caused by
+    30_08-ecc-Check-the-input-length-for-the-point.patch) from
+    LIBGCRYPT-1.8-BRANCH. Closes: #987956
+
+ -- Andreas Metzler <ametzler@debian.org>  Thu, 06 May 2021 18:06:14 +0200
+
+libgcrypt20 (1.8.7-4) unstable; urgency=medium
+
+  * Update from LIBGCRYPT-1.8-BRANCH:
+    + 30_07-Fix-previous-commit.patch
+    + 30_08-ecc-Check-the-input-length-for-the-point.patch
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 02 May 2021 13:58:47 +0200
+
 libgcrypt20 (1.8.7-3) unstable; urgency=medium
 
   * Update from LIBGCRYPT-1.8-BRANCH:
diff -Nru libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch
--- libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch	2021-05-02 13:52:17.000000000 +0200
@@ -0,0 +1,41 @@
+From a5799f1618aaf1bbb52e7e121275228dd4a3ac8b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Sun, 14 Feb 2021 18:54:40 +0100
+Subject: [PATCH 7/8] Fix previous commit
+
+* src/global.c (_gcry_get_config): Append the Nul only in the !what
+case.
+--
+
+Fixes-commit: 3f42f727a0699f7274a99ea39def7f9b4c3b0c1e
+Actually this was my fault - I stripped off the test which Jussi did in
+his original fix on master.  And did not run make check.
+
+Signed-off-by: Werner Koch <wk@gnupg.org>
+---
+ src/global.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/global.c b/src/global.c
+index 7d634095..95daedac 100644
+--- a/src/global.c
++++ b/src/global.c
+@@ -419,8 +419,13 @@ _gcry_get_config (int mode, const char *what)
+ 
+   print_config (what, fp);
+ 
+-  /* Make sure the output is null terminated. */
+-  gpgrt_fwrite ("", 1, 1, fp);
++  /* Make sure the output is null terminated if no specific item was
++   * requested.  This is needed because tests/version.c expects that
++   * the function fails with the !data case below.  For the specific
++   * test an extra nul is not required because we always have a LF
++   * which is then replaced right at the end of this function.  */
++  if (!what)
++    gpgrt_fwrite ("", 1, 1, fp);
+ 
+   if (gpgrt_ferror (fp))
+     {
+-- 
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch
--- libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch	2021-05-02 13:52:32.000000000 +0200
@@ -0,0 +1,80 @@
+From 3f48e3ea37adf84aae7335b8367012d70bb3f132 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 27 Apr 2021 17:24:16 +0900
+Subject: [PATCH 8/8] ecc: Check the input length for the point.
+
+* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
+of valid point representation.
+
+--
+
+Backport the commit of master:
+
+	060c378c050e7ec6206358c681a313d6e1967dcf
+
+In the use case of GnuPG, ECDH decryption for anonymous recipient may
+try to decrypt with different curves.  When the input data of
+ephemeral key does not match one of the private key, it should return
+GPG_ERR_INV_OBJ.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/ecc-misc.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
+index 34dd6804..b89dcfa6 100644
+--- a/cipher/ecc-misc.c
++++ b/cipher/ecc-misc.c
+@@ -294,6 +294,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
+ {
+   unsigned char *rawmpi;
+   unsigned int rawmpilen;
++  unsigned int nbytes = (ctx->nbits+7)/8;
+ 
+   if (mpi_is_opaque (pk))
+     {
+@@ -305,27 +306,36 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
+         return GPG_ERR_INV_OBJ;
+       rawmpilen = (rawmpilen + 7)/8;
+ 
+-      if (rawmpilen > 1 && (rawmpilen%2) && buf[0] == 0x40)
++      if (rawmpilen == nbytes + 1
++          && (buf[0] == 0x00 || buf[0] == 0x40))
+         {
+           rawmpilen--;
+           buf++;
+         }
++      else if (rawmpilen > nbytes)
++        return GPG_ERR_INV_OBJ;
+ 
+-      rawmpi = xtrymalloc (rawmpilen? rawmpilen:1);
++      rawmpi = xtrymalloc (nbytes);
+       if (!rawmpi)
+         return gpg_err_code_from_syserror ();
+ 
+       p = rawmpi + rawmpilen;
+       while (p > rawmpi)
+         *--p = *buf++;
++
++      if (rawmpilen < nbytes)
++        memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen);
+     }
+   else
+     {
+-      unsigned int nbytes = (ctx->nbits+7)/8;
+-
+       rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
+       if (!rawmpi)
+         return gpg_err_code_from_syserror ();
++      if (rawmpilen > nbytes + 1)
++        {
++          xfree (rawmpi);
++          return GPG_ERR_INV_OBJ;
++        }
+       /*
+        * It is not reliable to assume that 0x40 means the prefix.
+        *
+-- 
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch
--- libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch	2021-05-06 18:03:55.000000000 +0200
@@ -0,0 +1,31 @@
+From bd662c090bd4a45cc830de9e42e96dd0f8e1f702 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 6 May 2021 12:35:19 +0900
+Subject: [PATCH] ecc: Fix the previous commit.
+
+* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.
+
+--
+
+GnuPG-bug-id: 5423
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/ecc-misc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
+index b89dcfa6..0c387c27 100644
+--- a/cipher/ecc-misc.c
++++ b/cipher/ecc-misc.c
+@@ -331,7 +331,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
+       rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
+       if (!rawmpi)
+         return gpg_err_code_from_syserror ();
+-      if (rawmpilen > nbytes + 1)
++      if (rawmpilen > nbytes + BYTES_PER_MPI_LIMB)
+         {
+           xfree (rawmpi);
+           return GPG_ERR_INV_OBJ;
+-- 
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
--- libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch	2021-05-27 14:19:07.000000000 +0200
@@ -0,0 +1,105 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+	632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+	74386120dad6b3da62db37f7044267c8ef34689b
+	78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
++  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
++  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
++    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
+-- 
+2.30.2
+
diff -Nru libgcrypt20-1.8.7/debian/patches/series libgcrypt20-1.8.7/debian/patches/series
--- libgcrypt20-1.8.7/debian/patches/series	2021-02-14 13:46:10.000000000 +0100
+++ libgcrypt20-1.8.7/debian/patches/series	2021-05-27 14:19:10.000000000 +0200
@@ -8,3 +8,7 @@
 30_04-Fix-ubsan-warnings-for-i386-build.patch
 30_05-Add-handling-for-Og-with-O-flag-munging.patch
 30_06-Make-sure-the-grcy_get_config-string-is-always-null-.patch
+30_07-Fix-previous-commit.patch
+30_08-ecc-Check-the-input-length-for-the-point.patch
+30_09-ecc-Fix-the-previous-commit.patch
+30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: