Package: gnupg / 1.4.12-7+deb7u7

Metadata

Package Version Patches format
gnupg 1.4.12-7+deb7u7 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
685627_french_translation_update.patch | (download)

po/fr.po | 4406 1526 + 2880 - 0 !
po/gnupg.pot | 2 1 + 1 - 0 !
2 files changed, 1527 insertions(+), 2881 deletions(-)

 french translation proofread and updated
CVE 2012 6085.patch | (download)

g10/import.c | 23 22 + 1 - 0 !
1 file changed, 22 insertions(+), 1 deletion(-)

 fix memory and key database corruption on importing invalid keys by rejecting invalid keyblock packet types.
CVE 2013 4242.patch | (download)

mpi/mpi-pow.c | 15 12 + 3 - 0 !
1 file changed, 12 insertions(+), 3 deletions(-)

 mitigate a flush+reload cache attack on rsa secret exponents.
X-Git-Tag: gnupg-1.4.14~5
CVE 2013 4402.patch | (download)

g10/mainproc.c | 52 43 + 9 - 0 !
util/iobuf.c | 75 43 + 32 - 0 !
2 files changed, 86 insertions(+), 41 deletions(-)

 [patch 1/2] gpg: fix bug with deeply nested compressed packets.

* g10/mainproc.c (MAX_NESTING_DEPTH): New.
(proc_compressed): Return an error code.
(check_nesting): New.
(do_proc_packets): Check packet nesting depth.  Handle errors from
check_compressed.

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE 2013 4351.patch | (download)

g10/getkey.c | 8 7 + 1 - 0 !
include/cipher.h | 1 1 + 0 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

---
CVE 2013 4576.patch | (download)

cipher/dsa.c | 6 4 + 2 - 0 !
cipher/elgamal.c | 3 3 + 0 - 0 !
cipher/random.c | 12 12 + 0 - 0 !
cipher/random.h | 1 1 + 0 - 0 !
cipher/rsa.c | 80 59 + 21 - 0 !
g10/gpgv.c | 1 1 + 0 - 0 !
6 files changed, 80 insertions(+), 23 deletions(-)

 [patch 1/2] use blinding for the rsa secret operation.

* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--

GPG 1.x has never used any protection against timing attacks on the
RSA secret operation.  The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG.  With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it.  Blinding seems to be a suitable mitigation to the threat of
key extraction.  It does not help against distinguishing used keys,
though.

Note that GPG 2.x uses Libgcrypt which does blinding by default.

The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are

  Without blinding:  5.2s  (8.9s)
  With blinding:     5.6s  (9.3s)

The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code.  Thus for the next release the
user will actually experience faster signing and decryption.  A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE-id: CVE-2013-4576

0001 gpg Avoid infinite loop in uncompressing garbled pac.patch | (download)

g10/compress.c | 21 12 + 9 - 0 !
1 file changed, 12 insertions(+), 9 deletions(-)

 [patch] gpg: avoid infinite loop in uncompressing garbled packets.

* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--

A packet like (a3 01 5b ff) leads to an infinite loop.  Using
--max-output won't help if it is a partial packet.  This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.

Thanks to Olivier Levillain and Florian Maury for their detailed
report.

CVE 2014 5270.patch | (download)

mpi/mpi-pow.c | 443 443 + 0 - 0 !
1 file changed, 443 insertions(+)

 mpi: mpi-pow improvements
X-Git-Tag: gnupg-1.4.16~7
0001 Screen keyserver responses.patch | (download)

g10/import.c | 61 44 + 17 - 0 !
g10/keyserver.c | 84 65 + 19 - 0 !
g10/main.h | 8 6 + 2 - 0 !
3 files changed, 115 insertions(+), 38 deletions(-)

 [patch] screen keyserver responses.

* g10/main.h: Typedef import_filter for filter callbacks.
* g10/import.c (import): Add filter callbacks to param list.
(import_one): Ditto.
(import_secret_one): Ditto.
(import_keys_internal): Ditto.
(import_keys_stream): Ditto.
* g10/keyserver.c (keyserver_retrieval_filter): New.
(keyserver_spawn): Pass filter to import_keys_stream()

--
These changes introduces import functions that apply a constraining
filter to imported keys. These filters can verify the fingerprints of
the keys returned before importing them into the keyring, ensuring that
the keys fetched from the keyserver are in fact those selected by the
user beforehand.

Signed-off-by: Stefan Tomanek <tomanek@internet-sicherheit.de>

Re-indention and minor changes by wk.

0001 Make screening of keyserver result work with multi k.patch | (download)

g10/keyserver.c | 67 45 + 22 - 0 !
1 file changed, 45 insertions(+), 22 deletions(-)

 [patch] make screening of keyserver result work with multi-key
 commands.

* g10/keyserver.c (ks_retrieval_filter_arg_s): new.
(keyserver_retrieval_filter): Use new struct and check all
descriptions.
(keyserver_spawn): Pass filter arg suing the new struct.
--

This is a fix for commit 52303043.

The old code did only work for a single key.  It failed as soon as
several keys are specified ("gpg --refresh-keys" or "gpg --recv-key A
B C").

0001 Add kbnode_t for easier backporting.patch | (download)

g10/global.h | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 1/2] add kbnode_t for easier backporting.

* g10/global.h (kbnode_t): New.

0002 gpg Fix regression due to the keyserver import filte.patch | (download)

g10/import.c | 20 10 + 10 - 0 !
g10/keyserver.c | 76 46 + 30 - 0 !
g10/main.h | 4 2 + 2 - 0 !
3 files changed, 58 insertions(+), 42 deletions(-)

 [patch 2/2] gpg: fix regression due to the keyserver import filter.

* g10/keyserver.c (keyserver_retrieval_filter): Change args.  Rewrite
to take subpakets in account.
* g10/import.c (import_one, import_secret_one): Pass keyblock to
filter.
--

GnuPG-bug-id: 1680

Resolved conflicts:
	g10/main.h - s/import_filter/import_filter_t/g

CVE 2014 3591.patch | (download)

cipher/elgamal.c | 63 49 + 14 - 0 !
1 file changed, 49 insertions(+), 14 deletions(-)

 [patch 1/1] use ciphertext blinding for elgamal decryption.

* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption.  This
is similar to what we are doing with RSA.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable: For a 3072 bit Elgamal key the decryption used to take
13ms; with the blinding it takes 24ms.  This has been measured using
time(1), calling gpg with a 100 byte message, and having gpg modified
to run the pubkey_decrypt function 100 times and finally scale the
result (using an i5-2410M CPU @ 2.30GHz TP 220).

CVE 2015 0837.patch | (download)

include/mpi.h | 1 1 + 0 - 0 !
mpi/mpi-pow.c | 93 53 + 40 - 0 !
mpi/mpiutil.c | 28 28 + 0 - 0 !
3 files changed, 82 insertions(+), 40 deletions(-)

 [patch] mpi: avoid data-dependent timing variations in mpi_powm.

* include/mpi.h, mpi/mpiutils.c (mpi_set_cond): New.
* mpi/mpi-pow.c (SIZE_PRECOMP): Rename from SIZE_B_2I3.
(mpi_powm): Access all data in the table and use mpi_set_cond.

--

Access to the precomputed table was indexed by a portion of EXPO,
which could be mounted by a side channel attack.  This change fixes
this particular data-dependent access pattern.

CVE 2015 1606.patch | (download)

g10/keyring.c | 27 23 + 4 - 0 !
1 file changed, 23 insertions(+), 4 deletions(-)

 [patch 1/1] gpg: prevent an invalid memory read using a garbled
 keyring.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
* g10/keydb.c (parse_keyblock_image): Ditto.
--

The keyring DB code did not reject packets which don't belong into a
keyring.  If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).

We now skip all packets which are not allowed in a keyring.

Reported-by: Hanno Böck <hanno@hboeck.de>

Test data:

  gpg2 --no-default-keyring --keyring FILE --export >/dev/null

With this unpacked data for FILE: