[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989422: marked as done (buster-pu: package libgcrypt20/1.8.4-5+deb10u1)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #989422,
regarding buster-pu: package libgcrypt20/1.8.4-5+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989422
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libgcrypt20@packages.debian.org,security@debian.org


Hello,

I would like to fix the non-DSA CVE-2021-33560 for buster by
cherrypicking the respective commit from 1.8.8. This is about weak
ElGamal encyption when a key not generated by libgcrypt/gnupg is used.

This was fixed in unstable's 1.8.7-6, with bullseye unblock request
#989421 sent a couple of minutes ago.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru libgcrypt20-1.8.4/debian/changelog libgcrypt20-1.8.4/debian/changelog
--- libgcrypt20-1.8.4/debian/changelog	2019-01-20 14:47:23.000000000 +0100
+++ libgcrypt20-1.8.4/debian/changelog	2021-05-29 13:32:02.000000000 +0200
@@ -1,3 +1,11 @@
+libgcrypt20 (1.8.4-5+deb10u1) buster; urgency=medium
+
+  * 31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch from
+    upstream LIBGCRYPT-1.8-BRANCH: Fix weak ElGamal encryption with keys *not*
+    generated by GnuPG/libgcrypt. CVE-2021-33560
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 29 May 2021 13:32:02 +0200
+
 libgcrypt20 (1.8.4-5) unstable; urgency=medium
 
   * 30_doc-Fix-library-initialization-examples.patch from upstream
diff -Nru libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch
--- libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgcrypt20-1.8.4/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch	2021-05-29 13:16:14.000000000 +0200
@@ -0,0 +1,105 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+	632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+	74386120dad6b3da62db37f7044267c8ef34689b
+	78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
++  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
++  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
++    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
+-- 
+2.30.2
+
diff -Nru libgcrypt20-1.8.4/debian/patches/series libgcrypt20-1.8.4/debian/patches/series
--- libgcrypt20-1.8.4/debian/patches/series	2019-01-20 13:32:08.000000000 +0100
+++ libgcrypt20-1.8.4/debian/patches/series	2021-05-29 13:16:54.000000000 +0200
@@ -2,3 +2,4 @@
 15_multiarchpath_in_-L.diff
 25_norevisionfromgit.diff
 30_doc-Fix-library-initialization-examples.patch
+31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: