Package: gnupg / 1.4.18-7+deb8u5

Metadata

Package Version Patches format
gnupg 1.4.18-7+deb8u5 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
fix_760273.patch | (download)

doc/gnupg1.info | 2 1 + 1 - 0 !
doc/gpg.texi | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

---
fix_import_filter_regression.patch | (download)

g10/global.h | 1 1 + 0 - 0 !
g10/import.c | 20 10 + 10 - 0 !
g10/keyserver.c | 76 46 + 30 - 0 !
g10/main.h | 4 2 + 2 - 0 !
4 files changed, 59 insertions(+), 42 deletions(-)

---
Add build and runtime support for larger RSA key.patch | (download)

config.h.in | 3 3 + 0 - 0 !
configure | 26 26 + 0 - 0 !
configure.ac | 16 16 + 0 - 0 !
doc/gpg.texi | 9 9 + 0 - 0 !
g10/gpg.c | 22 21 + 1 - 0 !
g10/keygen.c | 5 3 + 2 - 0 !
g10/options.h | 1 1 + 0 - 0 !
7 files changed, 79 insertions(+), 3 deletions(-)

 [patch] gpg: add build and runtime support for larger rsa keys

* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.

--

Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.

Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.

Debian-bug-id: 739424

Minor edits by wk.

GnuPG-bug-id: 1732

0003 Update POT file.patch | (download)

po/gnupg.pot | 58 29 + 29 - 0 !
1 file changed, 29 insertions(+), 29 deletions(-)

 update pot file

Some strings positions (lines in files) changed, thus the comment
changes, but there is no actual (functional) change. The purpose is
only to ensure the .gmo files get rebuild.

0004 Update PO files.patch | (download)

po/be.po | 58 29 + 29 - 0 !
po/ca.po | 58 29 + 29 - 0 !
po/cs.po | 58 29 + 29 - 0 !
po/da.po | 58 29 + 29 - 0 !
po/de.po | 58 29 + 29 - 0 !
po/el.po | 58 29 + 29 - 0 !
po/en@boldquot.po | 70 35 + 35 - 0 !
po/en@quot.po | 58 29 + 29 - 0 !
po/eo.po | 58 29 + 29 - 0 !
po/es.po | 58 29 + 29 - 0 !
po/et.po | 58 29 + 29 - 0 !
po/fi.po | 58 29 + 29 - 0 !
po/fr.po | 58 29 + 29 - 0 !
po/gl.po | 58 29 + 29 - 0 !
po/hu.po | 58 29 + 29 - 0 !
po/id.po | 58 29 + 29 - 0 !
po/it.po | 58 29 + 29 - 0 !
po/ja.po | 58 29 + 29 - 0 !
po/nb.po | 58 29 + 29 - 0 !
po/nl.po | 58 29 + 29 - 0 !
po/pl.po | 58 29 + 29 - 0 !
po/pt.po | 58 29 + 29 - 0 !
po/pt_BR.po | 58 29 + 29 - 0 !
po/ro.po | 58 29 + 29 - 0 !
po/ru.po | 58 29 + 29 - 0 !
po/sk.po | 58 29 + 29 - 0 !
po/sv.po | 58 29 + 29 - 0 !
po/tr.po | 58 29 + 29 - 0 !
po/uk.po | 58 29 + 29 - 0 !
po/zh_CN.po | 58 29 + 29 - 0 !
po/zh_TW.po | 58 29 + 29 - 0 !
31 files changed, 905 insertions(+), 905 deletions(-)

 update po files

Follow up of the POT change: only comment noise.

0005 Update French translation.patch | (download)

po/fr.po | 142 70 + 72 - 0 !
1 file changed, 70 insertions(+), 72 deletions(-)

 update french translation

0006 Update Danish translation.patch | (download)

po/da.po | 28 17 + 11 - 0 !
1 file changed, 17 insertions(+), 11 deletions(-)

 update danish translation

0007 Update Ukrainian translation.patch | (download)

po/uk.po | 24 14 + 10 - 0 !
1 file changed, 14 insertions(+), 10 deletions(-)

 update ukrainian translation

0008 Update Russian translation.patch | (download)

po/ru.po | 1684 837 + 847 - 0 !
1 file changed, 837 insertions(+), 847 deletions(-)

 update russian translation

0009 Update Chinese traditional translation.patch | (download)

po/zh_TW.po | 48 17 + 31 - 0 !
1 file changed, 17 insertions(+), 31 deletions(-)

 update chinese (traditional) translation

0010 Update Italian translation.patch | (download)

po/it.po | 4212 1637 + 2575 - 0 !
1 file changed, 1637 insertions(+), 2575 deletions(-)

 update italian translation

0011 Update Polish translation.patch | (download)

po/pl.po | 2298 1137 + 1161 - 0 !
1 file changed, 1137 insertions(+), 1161 deletions(-)

 update polish translation

0012 Update Spanish translation.patch | (download)

po/es.po | 2474 1248 + 1226 - 0 !
1 file changed, 1248 insertions(+), 1226 deletions(-)

 update spanish translation

0013 Update Dutch translation.patch | (download)

po/nl.po | 2876 1488 + 1388 - 0 !
1 file changed, 1488 insertions(+), 1388 deletions(-)

 update dutch translation

0014 Update Czech translation.patch | (download)

po/cs.po | 2951 1463 + 1488 - 0 !
1 file changed, 1463 insertions(+), 1488 deletions(-)

 update czech translation

0007 mpi Improve mpi_invm to detect bad input.patch | (download)

mpi/mpi-inv.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [patch 07/20] mpi: improve mpi_invm to detect bad input.

* mpi/mpi-inv.c (mpi_invm): Return 0 for bad input.
--

Without this patch the function may enter an endless loop.  This is a
backport from libgcrypt.

GnuPG-bug-id: 1713

0016 gpg Fix a NULL deref for invalid input data.patch | (download)

g10/mainproc.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 [patch 16/20] gpg: fix a null-deref for invalid input data.

* g10/mainproc.c (proc_encrypted): Take care of canceled passpharse
entry.
--

GnuPG-bug-id: 1761
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 32e85668b82f6fbcb824eea9548970804fb41d9e)

0017 gpg Fix off by one read in the attribute subpacket p.patch | (download)

g10/parse-packet.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch 17/20] gpg: fix off-by-one read in the attribute subpacket
 parser.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)

0018 gpg Fix use of uninit.value in listing sig subpkts.patch | (download)

g10/parse-packet.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [patch 18/20] gpg: fix use of uninit.value in listing sig subpkts.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/parse-packet.c (dump_sig_subpkt): Print regex subpacket
sanitized.
--

We may not use "%s" to print an arbitrary buffer.  At least "%.*s"
should have been used.  However, it is in general preferable to escape
control characters while printf user data.

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 596ae9f5433ca3b0e01f7acbe06fd2e424c42ae8)

0015 gpg Make the use of verify FILE for detached sigs ha.patch | (download)

doc/gpg.texi | 27 17 + 10 - 0 !
g10/main.h | 1 1 + 0 - 0 !
g10/mainproc.c | 38 38 + 0 - 0 !
g10/openfile.c | 89 59 + 30 - 0 !
g10/plaintext.c | 21 14 + 7 - 0 !
5 files changed, 129 insertions(+), 47 deletions(-)

 [patch 15/20] gpg: make the use of "--verify file" for detached sigs
 harder.

* g10/openfile.c (open_sigfile): Factor some code out to ...
(get_matching_datafile): new function.
* g10/plaintext.c (hash_datafiles): Do not try to find matching file
in batch mode.
* g10/mainproc.c (check_sig_and_print): Print a warning if a possibly
matching data file is not used by a standard signatures.
--

Allowing to use the abbreviated form for detached signatures is a long
standing bug which has only been noticed by the public with the
release of 2.1.0.  :-(

What we do is to remove the ability to check detached signature in
--batch using the one file abbreviated mode.  This should exhibit
problems in scripts which use this insecure practice.  We also print a
warning if a matching data file exists but was not considered because
the detached signature was actually a standard signature:

  gpgv: Good signature from "Werner Koch (dist sig)"
  gpgv: WARNING: not a detached signature; \
  file 'gnupg-2.1.0.tar.bz2' was NOT verified!

We can only print a warning because it is possible that a standard
signature is indeed to be verified but by coincidence a file with a
matching name is stored alongside the standard signature.

Reported-by: Simon Nicolussi (to gnupg-users on Nov 7)
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 69384568f66a48eff3968bb1714aa13925580e9f)

Updated doc/gpg.texi.

sync docs with upstream.patch | (download)

doc/Makefile.am | 16 3 + 13 - 0 !
doc/gpg.texi | 384 80 + 304 - 0 !
doc/yat2m.c | 102 99 + 3 - 0 !
3 files changed, 182 insertions(+), 320 deletions(-)

---
0019 gpg release DEK soon after its use.patch | (download)

g10/keygen.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 19/45] gpg: release dek soon after its use.

* g10/keygen.c (generate_subkeypair): Release DEK soon.

--

This fixes the out_of_core error in the test case of adding
RSA-4096 subkey to RSA-4096 primary key with configuration:

    s2k-cipher-algo S10

Debian-bug-id: 772780

0020 scd fix get_public_key for OpenPGPcard v1.0.patch | (download)

g10/app-openpgp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 20/45] scd: fix get_public_key for openpgpcard v1.0.

* scd/app-openpgp.c (get_public_key): correctly close 'fp' upon use.

--

Inside the get_public_key function, 'fp' was opened using popen, but
incorrectly closed using fclose.

Debian-Bug-Id: 773474

0021 scd Fix possibly inhibited checkpin of the admin pin.patch | (download)

g10/app-openpgp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 21/45] scd: fix possibly inhibited checkpin of the admin pin.

* scd/app-openpgp.c (do_check_pin): Do not check a byte of a released
buffer.

Signed-off-by: Werner Koch <wk@gnupg.org>

0022 gpg Fix possible read of unallocated memory.patch | (download)

g10/parse-packet.c | 11 7 + 4 - 0 !
1 file changed, 7 insertions(+), 4 deletions(-)

 [patch 22/45] gpg: fix possible read of unallocated memory

* g10/parse-packet.c (can_handle_critical): Check content length
before calling can_handle_critical_notation.
--

The problem was found by Jan Bee and gniibe proposed the used fix.
Thanks.

This bug can't be exploited: Only if the announced length of the
notation is 21 or 32 a memcmp against fixed strings using that length
would be done.  The compared data is followed by the actual signature
and thus it is highly likely that not even read of unallocated memory
will happen.  Nevertheless such a bug needs to be fixed.

Signed-off-by: Werner Koch <wk@gnupg.org>

0023 doc Fix memory leak in yat2m.patch | (download)

doc/yat2m.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 23/45] doc: fix memory leak in yat2m.

* doc/yat2m.c (write_th): Free NAME.
--

Reported-by: Joshua Rogers <git@internot.info>

0024 avoid future chance of using uninitialized memory.patch | (download)

util/iobuf.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 24/45] avoid future chance of using uninitialized memory

* util/iobuf.c: (iobuf_open): initialize len

--

Cherry-pick 367b073ab5f439ccf0750461d10c69f36998bd62.

In iobuf_open, IOBUFCTRL_DESC and IOBUFCTRL_INIT commands are invoked
(via file_filter()) on fcx, passing in a pointer to an uninitialized
len.

With these two commands, file_filter doesn't actually do anything with
the value of len, so there's no actual risk of use of uninitialized
memory in the code as it stands.

However, some static analysis tools might flag this situation with a
warning, and initializing the value doesn't hurt anything, so i think
this trivial cleanup is warranted.

Debian-Bug-Id: 773469

0029 Use ciphertext blinding for Elgamal decryption.patch | (download)

cipher/elgamal.c | 63 49 + 14 - 0 !
1 file changed, 49 insertions(+), 14 deletions(-)

 [patch 29/45] use ciphertext blinding for elgamal decryption.

* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption.  This
is similar to what we are doing with RSA.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable: For a 3072 bit Elgamal key the decryption used to take
13ms; with the blinding it takes 24ms.  This has been measured using
time(1), calling gpg with a 100 byte message, and having gpg modified
to run the pubkey_decrypt function 100 times and finally scale the
result (using an i5-2410M CPU @ 2.30GHz TP 220).

0032 gpg Limit the size of key packets to a sensible valu.patch | (download)

g10/parse-packet.c | 30 28 + 2 - 0 !
1 file changed, 28 insertions(+), 2 deletions(-)

 [patch 32/45] gpg: limit the size of key packets to a sensible value.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/parse-packet.c (MAX_KEY_PACKET_LENGTH): New.
(MAX_UID_PACKET_LENGTH): New.
(MAX_COMMENT_PACKET_LENGTH): New.
(MAX_ATTR_PACKET_LENGTH): New.
(parse_key): Limit the size of a key packet to 256k.
(parse_user_id): Use macro for the packet size limit.
(parse_attribute): Ditto.
(parse_comment): Ditto.
--

Without that it is possible to force gpg to allocate large amounts of
memory by using a bad encoded MPI.  This would be an too easy DoS.
Another way to mitigate would be to change the MPI read function to
allocate memory dynamically while reading the MPI.  However, that
complicates and possibly slows down the code.  A too large key packet
is in any case a sign for broken data and thus gpg should not use it.

Reported-by: Hanno Böck
GnuPG-bug-id: 1823
Signed-off-by: Werner Koch <wk@gnupg.org>

(back ported from commit 382ba4b137b42d5f25a7e256bb7c053ee5ac7b64)

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

0033 gpg Fix a NULL deref due to empty ring trust packets.patch | (download)

g10/parse-packet.c | 10 7 + 3 - 0 !
1 file changed, 7 insertions(+), 3 deletions(-)

 [patch 33/45] gpg: fix a null-deref due to empty ring trust packets.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/parse-packet.c (parse_trust): Always allocate a packet.
--

Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Werner Koch <wk@gnupg.org>

(back ported from commit 39978487863066e59bb657f5fe4e8baab510da7e)

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

0034 gpg Fix a NULL deref in export due to invalid packet.patch | (download)

g10/build-packet.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 34/45] gpg: fix a null-deref in export due to invalid packet
 lengths.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/build-packet.c (write_fake_data): Take care of a NULL stored as
opaque MPI.
--

Reported-by: Hanno Böck <hanno@hboeck.de>

(back ported from commit 0835d2f44ef62eab51fce6a927908f544e01cf8f)

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

0035 gpg Prevent an invalid memory read using a garbled k.patch | (download)

g10/keyring.c | 24 21 + 3 - 0 !
1 file changed, 21 insertions(+), 3 deletions(-)

 [patch 35/45] gpg: prevent an invalid memory read using a garbled
 keyring.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
--

The keyring DB code did not reject packets which don't belong into a
keyring.  If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).

We now skip all packets which are not allowed in a keyring.

Reported-by: Hanno Böck <hanno@hboeck.de>

(back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

0036 doc Change remaining http links to gnupg.org to http.patch | (download)

doc/gpg.texi | 2 1 + 1 - 0 !
g10/misc.c | 4 2 + 2 - 0 !
g10/sig-check.c | 2 1 + 1 - 0 !
3 files changed, 4 insertions(+), 4 deletions(-)

 [patch 36/45] doc: change remaining http links to gnupg.org to https

--
GnuPG-bug-id: 1830

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

0037 Use inline functions to convert buffer data to scala.patch | (download)

g10/apdu.c | 27 12 + 15 - 0 !
g10/app-openpgp.c | 3 2 + 1 - 0 !
g10/build-packet.c | 6 3 + 3 - 0 !
g10/ccid-driver.c | 3 2 + 1 - 0 !
g10/getkey.c | 17 9 + 8 - 0 !
g10/keygen.c | 14 6 + 8 - 0 !
g10/keyid.c | 28 11 + 17 - 0 !
g10/misc.c | 11 0 + 11 - 0 !
g10/parse-packet.c | 41 21 + 20 - 0 !
g10/tdbio.c | 22 11 + 11 - 0 !
g10/trustdb.c | 2 1 + 1 - 0 !
include/host2net.h | 80 70 + 10 - 0 !
12 files changed, 148 insertions(+), 106 deletions(-)

 [patch 37/45] use inline functions to convert buffer data to scalars.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* include/host2net.h (buf16_to_ulong, buf16_to_uint): New.
(buf16_to_ushort, buf16_to_u16): New.
(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.
--

This fixes sign extension on shift problems.  Hanno Böck found a case
with an invalid read due to this problem.  To fix that almost all uses
of "<< 24" and "<< 8" are changed by this patch to use an inline
function from host2net.h.

(back ported from commit 2183683bd633818dd031b090b5530951de76f392)

Signed-off-by: Werner Koch <wk@gnupg.org>

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

0039 curl shim clean up varargs.patch | (download)

keyserver/curl-shim.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 39/45] curl-shim: clean up varargs

* keyserver/curl-shim.c (curl_easy_setopt) : ensure that va_end is
  called.

--

stdarg(3) says:
      Each invocation of va_start() must be matched by a
      corresponding invocation of va_end() in the same function.

Observed by Joshua Rogers <honey@internot.info>

Debian-Bug-Id: #773475

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

0041 gpg Fix segv due to NULL value stored as opaque MPI.patch | (download)

g10/build-packet.c | 6 4 + 2 - 0 !
g10/keyid.c | 8 6 + 2 - 0 !
2 files changed, 10 insertions(+), 4 deletions(-)

 [patch 41/45] gpg: fix segv due to null value stored as opaque mpi

* g10/build-packet.c (do_secret_key): Check for NULL return from
gcry_mpi_get_opaque.
* g10/keyid.c (hash_public_key): Ditto.
--

This is a backport of 76c8122adfed0f0f443cce7bda702ba2b39661b3 from
master to the STABLE-BRANCH-1-4

On the STABLE-BRANCH-1-4, we may also want to patch g10/seckey-cert.c,
but that has not been done in this patch.

This fix extends commmit 0835d2f44ef62eab51fce6a927908f544e01cf8f.

  gpg2 --export --no-default-keyring --keyring TESTDATA

With TESTDATA being below after unpacking.


0042 Protect against NULL return of mpi_get_opaque.patch | (download)

g10/seckey-cert.c | 17 12 + 5 - 0 !
1 file changed, 12 insertions(+), 5 deletions(-)

 [patch 42/45] protect against null return of mpi_get_opaque.

* g10/seckey-cert.c (do_check): Call BUG for NULL return of
get_opaque.
--

This is the suggested addition from commit 6f03218.  We better run
into an fatal error than into a segv.

Signed-off-by: Werner Koch <wk@gnupg.org>

0043 doc Add warning note about not acting as an oracle t.patch | (download)

doc/gpg.texi | 23 17 + 6 - 0 !
1 file changed, 17 insertions(+), 6 deletions(-)

 [patch 43/45] doc: add warning note about not acting as an oracle to
 --batch.

--

0044 mpi Avoid data dependent timing variations in mpi_po.patch | (download)

include/mpi.h | 1 1 + 0 - 0 !
mpi/mpi-pow.c | 93 53 + 40 - 0 !
mpi/mpiutil.c | 28 28 + 0 - 0 !
3 files changed, 82 insertions(+), 40 deletions(-)

 [patch 44/45] mpi: avoid data-dependent timing variations in
 mpi_powm.

* include/mpi.h, mpi/mpiutils.c (mpi_set_cond): New.
* mpi/mpi-pow.c (SIZE_PRECOMP): Rename from SIZE_B_2I3.
(mpi_powm): Access all data in the table and use mpi_set_cond.

--

Access to the precomputed table was indexed by a portion of EXPO,
which could be mounted by a side channel attack.  This change fixes
this particular data-dependent access pattern.

0045 g10 fix cmp_public_key and cmp_secret_keys.patch | (download)

g10/free-packet.c | 22 14 + 8 - 0 !
mpi/mpi-cmp.c | 16 16 + 0 - 0 !
2 files changed, 30 insertions(+), 8 deletions(-)

 g10: fix cmp_public_key and cmp_secret_keys.

* g10/free-packet.c (cmp_public_keys, cmp_secret_keys): Compare opaque
data at the first entry of the array when it's unknown algo.
* mpi/mpi-cmp.c (mpi_cmp): Backport libgcrypt 1.5.0's semantics.

--

(backported from 2.0 commit 43429c7869152f301157e4b24790b3801dce0f0a)

GnuPG-bug-id: 1962

0046 cipher Improve readability by using a macro.patch | (download)

cipher/random.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 1/2] cipher: improve readability by using a macro.

* cipher/random.c (mix_pool): Use DIGESTLEN instead of 20.

Signed-off-by: Werner Koch <wk@gnupg.org>

0047 random Hash continuous areas in the csprng pool.patch | (download)

cipher/random.c | 15 7 + 8 - 0 !
1 file changed, 7 insertions(+), 8 deletions(-)

 [patch 2/2] random: hash continuous areas in the csprng pool.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* cipher/random.c (mix_pool): Store the first hash at the end of the
pool.
--

This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG.
An attacker who obtains 580 bytes of the random number from the
standard RNG can trivially predict the next 20 bytes of output.

This bug does not affect the default generation of
keys because running gpg for key creation creates at most 2 keys from
the pool: For a single 4096 bit RSA key 512 byte of random are
required and thus for the second key (encryption subkey), 20 bytes
could be predicted from the the first key.  However, the security of
an OpenPGP key depends on the primary key (which was generated first)
and thus the 20 predictable bytes should not be a problem.  For the
default key length of 2048 bit nothing will be predictable.

For the former default of DSA+Elgamal key it is complicate to give an
answer: For 2048 bit keys a pool of 30 non-secret candidate primes of
about 300 bits each are first created.  This reads at least 1140 bytes
from the pool and thus parts could be predicted.  At some point a 256
bit secret is read from the pool; which in the worst case might be
partly predictable.

The bug was found and reported by Felix Dörre and Vladimir Klebanov,
Karlsruhe Institute of Technology.  A paper describing the problem in
detail will shortly be published.

CVE-id: CVE-2016-6313
Signed-off-by: Werner Koch <wk@gnupg.org>

0048 gpgv Tweak default options for extra security.patch | (download)

g10/gpgv.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] gpgv: tweak default options for extra security.

* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
cached status.  Similarly, set opt.flags.require_cross_cert for backsig
validation for subkey signature.

--

(backport of master
commit e32c575e0f3704e7563048eea6d26844bdfc494b)

It is common that an organization distributes binary keyrings with
signature cache (Tag 12, Trust Packet) and people use gpgv to validate
signature with such keyrings.  In such a use case, it is possible that
the key validation itself is skipped.

For the purpose of gpgv validation of signatures, we should not depend
on signature cache in keyrings (if any), but we should validate the key
by its self signature for primary key, and back signature for subkey.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

0049 g10 Fix checking key for signature validation.patch | (download)

g10/sig-check.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] g10: fix checking key for signature validation.

* g10/sig-check.c (signature_check2): Not only subkey, but also primary
key should have flags.valid=1.

--

(backport of master
commit 6f284e6ed63f514b15fe610f490ffcefc87a2164)

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

security/CVE 2017 7526 rsa Add exponent blinding.patch | (download)

cipher/rsa.c | 33 29 + 4 - 0 !
1 file changed, 29 insertions(+), 4 deletions(-)

 cve-2017-7526: rsa: add exponent blinding.

* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.

--

Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>

security/CVE 2017 7526 rsa Allow different build directory.patch | (download)

cipher/Makefile.am | 2 1 + 1 - 0 !
cipher/Makefile.in | 2 1 + 1 - 0 !
cipher/rsa.c | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 cve-2017-7526: rsa: allow different build directory.

* cipher/Makefile.am (AM_CPPFLAGS): Add mpi dirs.
* cipher/rsa.c: Change include file.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

security/CVE 2017 7526 rsa Reduce secmem pressure.patch | (download)

cipher/rsa.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 cve-2017-7526: rsa: reduce secmem pressure.

* cipher/rsa.c (secret): Don't keep secmem.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

security/CVE 2017 7526 mpi Simplify mpi_powm.patch | (download)

mpi/mpi-pow.c | 103 30 + 73 - 0 !
1 file changed, 30 insertions(+), 73 deletions(-)

 cve-2017-7526: mpi: simplify mpi_powm.

* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.

--

(backport of libgcrypt master commit:
 719468e53133d3bdf12156c5bfdea2bf15f9f6f1)

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit b38f4489f75e6e435886aa885807738a22c7ff60)

security/CVE 2017 7526 mpi Same computation for square and multipl.patch | (download)

mpi/mpi-pow.c | 72 38 + 34 - 0 !
1 file changed, 38 insertions(+), 34 deletions(-)

 cve-2017-7526: mpi: same computation for square and multiply for
 mpi_pow.

* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
the assignment to base_u into the loop.  Copy content refered by RP to
BASE_U except the last of the loop.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

(backport commit of libgcrypt master:
78130828e9a140a9de4dafadbc844dbb64cb709a)

(cherry picked from commit 12029f83fd0ab3e8ad524f6c9135854662fddfd1)

security/CVE 2017 7526 mpi Minor fix for mpi_pow.patch | (download)

mpi/mpi-pow.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 cve-2017-7526: mpi: minor fix for mpi_pow.

* mpi/mpi-pow.c (mpi_powm): Fix allocation size.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 554ded4854758bf6ca268432fa087f946932a409)

gpg Sanitize diagnostic with the original file name.patch | (download)

g10/mainproc.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 gpg: sanitize diagnostic with the original file name.