Hello community, here is the log from the commit of package libcryptopp for openSUSE:Factory checked in at 2015-07-12 22:53:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcryptopp (Old) and /work/SRC/openSUSE:Factory/.libcryptopp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcryptopp" Changes: -------- --- /work/SRC/openSUSE:Factory/libcryptopp/libcryptopp.changes 2014-09-25 08:43:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libcryptopp.new/libcryptopp.changes 2015-07-12 22:53:29.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Jul 8 08:01:11 UTC 2015 - [email protected] + +- prevent timing attack to get secret key (bnc#936435, CVE-2015-2141) + add libcryptopp-CVE-2015-2141.patch + +------------------------------------------------------------------- New: ---- libcryptopp-CVE-2015-2141.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcryptopp.spec ++++++ --- /var/tmp/diff_new_pack.GTIXQp/_old 2015-07-12 22:53:30.000000000 +0200 +++ /var/tmp/diff_new_pack.GTIXQp/_new 2015-07-12 22:53:30.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libcryptopp # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,6 +41,8 @@ Patch3: libcryptopp-m68k.patch # PATCH-BUILDFIX-OPENSUSE 0001-disable_os_rng_test.patch [email protected] -- disable OS Random Number Generator test Patch4: 0001-disable_os_rng_test.patch +# PATCH-FIX-UPSTREAM +Patch5: libcryptopp-CVE-2015-2141.patch BuildRequires: gcc-c++ BuildRequires: pkg-config BuildRequires: unzip @@ -78,6 +80,7 @@ %patch2 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build make %{?_smp_mflags} \ ++++++ libcryptopp-CVE-2015-2141.patch ++++++ >From 9425e16437439e68c7d96abef922167d68fafaff Mon Sep 17 00:00:00 2001 From: Jeffrey Walton <[email protected]> Date: Sat, 27 Jun 2015 17:56:01 -0400 Subject: [PATCH] Fix for CVE-2015-2141. Thanks to Evgeny Sidorov for reporting. Squaring to satisfy Jacobi requirements suggested by JPM. --- rw.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rw.cpp b/rw.cpp index cdd9f2d..0b9318b 100644 --- a/rw.cpp +++ b/rw.cpp @@ -126,10 +126,16 @@ Integer InvertibleRWFunction::CalculateInverse(RandomNumberGenerator &rng, const DoQuickSanityCheck(); ModularArithmetic modn(m_n); Integer r, rInv; - do { // do this in a loop for people using small numbers for testing + + // do this in a loop for people using small numbers for testing + do { r.Randomize(rng, Integer::One(), m_n - Integer::One()); + // Fix for CVE-2015-2141. Thanks to Evgeny Sidorov for reporting. + // Squaring to satisfy Jacobi requirements suggested by JPM. + r = modn.Square(r); rInv = modn.MultiplicativeInverse(r); } while (rInv.IsZero()); + Integer re = modn.Square(r); re = modn.Multiply(re, x); // blind
