Control: tgs -1 confirmed d-i On 2021-06-03 13:23:02 +0200, Andreas Metzler wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: libgcryp...@packages.debian.org > > Please unblock package libgcrypt20. > > Compared to 1.8.7-3 this pulls a 4 commits from 1.8.8, including > 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch > (CVE-2021-33560) which fixes weak ElGamal encryption with keys *not* > generated by libgcrypt/gnupg. It does not warrant a DSA (already > doublechecked with debian-security) but should still be fixed. I will > also prepare an upload for buster.
ACK. Cyril, could you please (N)ACK for d-i?
Cheers
>
> unblock libgcrypt20/1.8.7-6
>
> cu Andreas
> --
> `What a good friend you are to him, Dr. Maturin. His other friends are
> so grateful to you.'
> `I sew his ears on from time to time, sure'
> diff -Nru libgcrypt20-1.8.7/debian/changelog
> libgcrypt20-1.8.7/debian/changelog
> --- libgcrypt20-1.8.7/debian/changelog 2021-02-14 15:27:13.000000000
> +0100
> +++ libgcrypt20-1.8.7/debian/changelog 2021-05-27 18:07:38.000000000
> +0200
> @@ -1,3 +1,26 @@
> +libgcrypt20 (1.8.7-6) unstable; urgency=medium
> +
> + * Update from LIBGCRYPT-1.8-BRANCH:
> + + 30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
> +
> + -- Andreas Metzler <ametz...@debian.org> Thu, 27 May 2021 18:07:38 +0200
> +
> +libgcrypt20 (1.8.7-5) unstable; urgency=medium
> +
> + * Pull fix for ECC decyryption regression (caused by
> + 30_08-ecc-Check-the-input-length-for-the-point.patch) from
> + LIBGCRYPT-1.8-BRANCH. Closes: #987956
> +
> + -- Andreas Metzler <ametz...@debian.org> Thu, 06 May 2021 18:06:14 +0200
> +
> +libgcrypt20 (1.8.7-4) unstable; urgency=medium
> +
> + * Update from LIBGCRYPT-1.8-BRANCH:
> + + 30_07-Fix-previous-commit.patch
> + + 30_08-ecc-Check-the-input-length-for-the-point.patch
> +
> + -- Andreas Metzler <ametz...@debian.org> Sun, 02 May 2021 13:58:47 +0200
> +
> libgcrypt20 (1.8.7-3) unstable; urgency=medium
>
> * Update from LIBGCRYPT-1.8-BRANCH:
> diff -Nru libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch
> libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch
> --- libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch
> 1970-01-01 01:00:00.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/patches/30_07-Fix-previous-commit.patch
> 2021-05-02 13:52:17.000000000 +0200
> @@ -0,0 +1,41 @@
> +From a5799f1618aaf1bbb52e7e121275228dd4a3ac8b Mon Sep 17 00:00:00 2001
> +From: Werner Koch <w...@gnupg.org>
> +Date: Sun, 14 Feb 2021 18:54:40 +0100
> +Subject: [PATCH 7/8] Fix previous commit
> +
> +* src/global.c (_gcry_get_config): Append the Nul only in the !what
> +case.
> +--
> +
> +Fixes-commit: 3f42f727a0699f7274a99ea39def7f9b4c3b0c1e
> +Actually this was my fault - I stripped off the test which Jussi did in
> +his original fix on master. And did not run make check.
> +
> +Signed-off-by: Werner Koch <w...@gnupg.org>
> +---
> + src/global.c | 9 +++++++--
> + 1 file changed, 7 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/global.c b/src/global.c
> +index 7d634095..95daedac 100644
> +--- a/src/global.c
> ++++ b/src/global.c
> +@@ -419,8 +419,13 @@ _gcry_get_config (int mode, const char *what)
> +
> + print_config (what, fp);
> +
> +- /* Make sure the output is null terminated. */
> +- gpgrt_fwrite ("", 1, 1, fp);
> ++ /* Make sure the output is null terminated if no specific item was
> ++ * requested. This is needed because tests/version.c expects that
> ++ * the function fails with the !data case below. For the specific
> ++ * test an extra nul is not required because we always have a LF
> ++ * which is then replaced right at the end of this function. */
> ++ if (!what)
> ++ gpgrt_fwrite ("", 1, 1, fp);
> +
> + if (gpgrt_ferror (fp))
> + {
> +--
> +2.30.2
> +
> diff -Nru
> libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch
>
> libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch
> ---
> libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch
> 1970-01-01 01:00:00.000000000 +0100
> +++
> libgcrypt20-1.8.7/debian/patches/30_08-ecc-Check-the-input-length-for-the-point.patch
> 2021-05-02 13:52:32.000000000 +0200
> @@ -0,0 +1,80 @@
> +From 3f48e3ea37adf84aae7335b8367012d70bb3f132 Mon Sep 17 00:00:00 2001
> +From: NIIBE Yutaka <gni...@fsij.org>
> +Date: Tue, 27 Apr 2021 17:24:16 +0900
> +Subject: [PATCH 8/8] ecc: Check the input length for the point.
> +
> +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
> +of valid point representation.
> +
> +--
> +
> +Backport the commit of master:
> +
> + 060c378c050e7ec6206358c681a313d6e1967dcf
> +
> +In the use case of GnuPG, ECDH decryption for anonymous recipient may
> +try to decrypt with different curves. When the input data of
> +ephemeral key does not match one of the private key, it should return
> +GPG_ERR_INV_OBJ.
> +
> +Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
> +---
> + cipher/ecc-misc.c | 18 ++++++++++++++----
> + 1 file changed, 14 insertions(+), 4 deletions(-)
> +
> +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
> +index 34dd6804..b89dcfa6 100644
> +--- a/cipher/ecc-misc.c
> ++++ b/cipher/ecc-misc.c
> +@@ -294,6 +294,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx,
> mpi_point_t result)
> + {
> + unsigned char *rawmpi;
> + unsigned int rawmpilen;
> ++ unsigned int nbytes = (ctx->nbits+7)/8;
> +
> + if (mpi_is_opaque (pk))
> + {
> +@@ -305,27 +306,36 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t
> ctx, mpi_point_t result)
> + return GPG_ERR_INV_OBJ;
> + rawmpilen = (rawmpilen + 7)/8;
> +
> +- if (rawmpilen > 1 && (rawmpilen%2) && buf[0] == 0x40)
> ++ if (rawmpilen == nbytes + 1
> ++ && (buf[0] == 0x00 || buf[0] == 0x40))
> + {
> + rawmpilen--;
> + buf++;
> + }
> ++ else if (rawmpilen > nbytes)
> ++ return GPG_ERR_INV_OBJ;
> +
> +- rawmpi = xtrymalloc (rawmpilen? rawmpilen:1);
> ++ rawmpi = xtrymalloc (nbytes);
> + if (!rawmpi)
> + return gpg_err_code_from_syserror ();
> +
> + p = rawmpi + rawmpilen;
> + while (p > rawmpi)
> + *--p = *buf++;
> ++
> ++ if (rawmpilen < nbytes)
> ++ memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen);
> + }
> + else
> + {
> +- unsigned int nbytes = (ctx->nbits+7)/8;
> +-
> + rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
> + if (!rawmpi)
> + return gpg_err_code_from_syserror ();
> ++ if (rawmpilen > nbytes + 1)
> ++ {
> ++ xfree (rawmpi);
> ++ return GPG_ERR_INV_OBJ;
> ++ }
> + /*
> + * It is not reliable to assume that 0x40 means the prefix.
> + *
> +--
> +2.30.2
> +
> diff -Nru
> libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch
> libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch
> --- libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch
> 1970-01-01 01:00:00.000000000 +0100
> +++ libgcrypt20-1.8.7/debian/patches/30_09-ecc-Fix-the-previous-commit.patch
> 2021-05-06 18:03:55.000000000 +0200
> @@ -0,0 +1,31 @@
> +From bd662c090bd4a45cc830de9e42e96dd0f8e1f702 Mon Sep 17 00:00:00 2001
> +From: NIIBE Yutaka <gni...@fsij.org>
> +Date: Thu, 6 May 2021 12:35:19 +0900
> +Subject: [PATCH] ecc: Fix the previous commit.
> +
> +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.
> +
> +--
> +
> +GnuPG-bug-id: 5423
> +Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
> +---
> + cipher/ecc-misc.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
> +index b89dcfa6..0c387c27 100644
> +--- a/cipher/ecc-misc.c
> ++++ b/cipher/ecc-misc.c
> +@@ -331,7 +331,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx,
> mpi_point_t result)
> + rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
> + if (!rawmpi)
> + return gpg_err_code_from_syserror ();
> +- if (rawmpilen > nbytes + 1)
> ++ if (rawmpilen > nbytes + BYTES_PER_MPI_LIMB)
> + {
> + xfree (rawmpi);
> + return GPG_ERR_INV_OBJ;
> +--
> +2.30.2
> +
> diff -Nru
> libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
>
> libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
> ---
> libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
> 1970-01-01 01:00:00.000000000 +0100
> +++
> libgcrypt20-1.8.7/debian/patches/30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
> 2021-05-27 14:19:07.000000000 +0200
> @@ -0,0 +1,105 @@
> +From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
> +From: NIIBE Yutaka <gni...@fsij.org>
> +Date: Fri, 21 May 2021 11:15:07 +0900
> +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
> +
> +* cipher/elgamal.c (gen_k): Remove support of smaller K.
> +(do_encrypt): Never use smaller K.
> +(sign): Folllow the change of gen_k.
> +
> +--
> +
> +Cherry-pick master commit of:
> + 632d80ef30e13de6926d503aa697f92b5dbfbc5e
> +
> +This change basically reverts encryption changes in two commits:
> +
> + 74386120dad6b3da62db37f7044267c8ef34689b
> + 78531373a342aeb847950f404343a05e36022065
> +
> +Use of smaller K for ephemeral key in ElGamal encryption is only good,
> +when we can guarantee that recipient's key is generated by our
> +implementation (or compatible).
> +
> +For detail, please see:
> +
> + Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
> + "On the (in)security of ElGamal in OpenPGP";
> + in the proceedings of CCS'2021.
> +
> +CVE-id: CVE-2021-33560
> +GnuPG-bug-id: 5328
> +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
> +Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
> +---
> + cipher/elgamal.c | 24 ++++++------------------
> + 1 file changed, 6 insertions(+), 18 deletions(-)
> +
> +diff --git a/cipher/elgamal.c b/cipher/elgamal.c
> +index 4eb52d62..ae7a631e 100644
> +--- a/cipher/elgamal.c
> ++++ b/cipher/elgamal.c
> +@@ -66,7 +66,7 @@ static const char *elg_names[] =
> +
> +
> + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
> +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
> ++static gcry_mpi_t gen_k (gcry_mpi_t p);
> + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
> + gcry_mpi_t **factors);
> + static int check_secret_key (ELG_secret_key *sk);
> +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits,
> int nodie )
> +
> + /****************
> + * Generate a random secret exponent k from prime p, so that k is
> +- * relatively prime to p-1. With SMALL_K set, k will be selected for
> +- * better encryption performance - this must never be used signing!
> ++ * relatively prime to p-1.
> + */
> + static gcry_mpi_t
> +-gen_k( gcry_mpi_t p, int small_k )
> ++gen_k( gcry_mpi_t p )
> + {
> + gcry_mpi_t k = mpi_alloc_secure( 0 );
> + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
> +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
> + unsigned int nbits, nbytes;
> + char *rndbuf = NULL;
> +
> +- if (small_k)
> +- {
> +- /* Using a k much lesser than p is sufficient for encryption and
> +- * it greatly improves the encryption performance. We use
> +- * Wiener's table and add a large safety margin. */
> +- nbits = wiener_map( orig_nbits ) * 3 / 2;
> +- if( nbits >= orig_nbits )
> +- BUG();
> +- }
> +- else
> +- nbits = orig_nbits;
> +-
> ++ nbits = orig_nbits;
> +
> + nbytes = (nbits+7)/8;
> + if( DBG_CIPHER )
> +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
> ELG_public_key *pkey )
> + * error code.
> + */
> +
> +- k = gen_k( pkey->p, 1 );
> ++ k = gen_k( pkey->p );
> + mpi_powm (a, pkey->g, k, pkey->p);
> +
> + /* b = (y^k * input) mod p
> +@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
> ELG_secret_key *skey )
> + *
> + */
> + mpi_sub_ui(p_1, p_1, 1);
> +- k = gen_k( skey->p, 0 /* no small K ! */ );
> ++ k = gen_k( skey->p );
> + mpi_powm( a, skey->g, k, skey->p );
> + mpi_mul(t, skey->x, a );
> + mpi_subm(t, input, t, p_1 );
> +--
> +2.30.2
> +
> diff -Nru libgcrypt20-1.8.7/debian/patches/series
> libgcrypt20-1.8.7/debian/patches/series
> --- libgcrypt20-1.8.7/debian/patches/series 2021-02-14 13:46:10.000000000
> +0100
> +++ libgcrypt20-1.8.7/debian/patches/series 2021-05-27 14:19:10.000000000
> +0200
> @@ -8,3 +8,7 @@
> 30_04-Fix-ubsan-warnings-for-i386-build.patch
> 30_05-Add-handling-for-Og-with-O-flag-munging.patch
> 30_06-Make-sure-the-grcy_get_config-string-is-always-null-.patch
> +30_07-Fix-previous-commit.patch
> +30_08-ecc-Check-the-input-length-for-the-point.patch
> +30_09-ecc-Fix-the-previous-commit.patch
> +30_10-cipher-Fix-ElGamal-encryption-for-other-implementati.patch
--
Sebastian Ramacher
signature.asc
Description: PGP signature
