Package: gnupg / 1.4.12-7+deb7u4

Metadata

Package Version Patches format
gnupg 1.4.12-7+deb7u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
685627_french_translation_update.patch | (download)

po/fr.po | 4406 1526 + 2880 - 0 !
po/gnupg.pot | 2 1 + 1 - 0 !
2 files changed, 1527 insertions(+), 2881 deletions(-)

 french translation proofread and updated
CVE 2012 6085.patch | (download)

g10/import.c | 23 22 + 1 - 0 !
1 file changed, 22 insertions(+), 1 deletion(-)

 fix memory and key database corruption on importing invalid keys by rejecting invalid keyblock packet types.
CVE 2013 4242.patch | (download)

mpi/mpi-pow.c | 15 12 + 3 - 0 !
1 file changed, 12 insertions(+), 3 deletions(-)

 mitigate a flush+reload cache attack on rsa secret exponents.
X-Git-Tag: gnupg-1.4.14~5
CVE 2013 4402.patch | (download)

g10/mainproc.c | 52 43 + 9 - 0 !
util/iobuf.c | 75 43 + 32 - 0 !
2 files changed, 86 insertions(+), 41 deletions(-)

 [patch 1/2] gpg: fix bug with deeply nested compressed packets.

* g10/mainproc.c (MAX_NESTING_DEPTH): New.
(proc_compressed): Return an error code.
(check_nesting): New.
(do_proc_packets): Check packet nesting depth.  Handle errors from
check_compressed.

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE 2013 4351.patch | (download)

g10/getkey.c | 8 7 + 1 - 0 !
include/cipher.h | 1 1 + 0 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

---
CVE 2013 4576.patch | (download)

cipher/dsa.c | 6 4 + 2 - 0 !
cipher/elgamal.c | 3 3 + 0 - 0 !
cipher/random.c | 12 12 + 0 - 0 !
cipher/random.h | 1 1 + 0 - 0 !
cipher/rsa.c | 80 59 + 21 - 0 !
g10/gpgv.c | 1 1 + 0 - 0 !
6 files changed, 80 insertions(+), 23 deletions(-)

 [patch 1/2] use blinding for the rsa secret operation.

* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--

GPG 1.x has never used any protection against timing attacks on the
RSA secret operation.  The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG.  With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it.  Blinding seems to be a suitable mitigation to the threat of
key extraction.  It does not help against distinguishing used keys,
though.

Note that GPG 2.x uses Libgcrypt which does blinding by default.

The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are

  Without blinding:  5.2s  (8.9s)
  With blinding:     5.6s  (9.3s)

The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code.  Thus for the next release the
user will actually experience faster signing and decryption.  A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE-id: CVE-2013-4576

0001 gpg Avoid infinite loop in uncompressing garbled pac.patch | (download)

g10/compress.c | 21 12 + 9 - 0 !
1 file changed, 12 insertions(+), 9 deletions(-)

 [patch] gpg: avoid infinite loop in uncompressing garbled packets.

* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--

A packet like (a3 01 5b ff) leads to an infinite loop.  Using
--max-output won't help if it is a partial packet.  This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.

Thanks to Olivier Levillain and Florian Maury for their detailed
report.