[arch-commits] Commit in crypto++/trunk (CVE-2015-2141.patch PKGBUILD)

[Allan McRae]

    Date: Friday, July 24, 2015 @ 13:57:33
  Author: allan
Revision: 242478

upgpkg: crypto++ 5.6.2-3

fix CVE-2015-2141

Added:
  crypto++/trunk/CVE-2015-2141.patch
Modified:
  crypto++/trunk/PKGBUILD

---------------------+
 CVE-2015-2141.patch |   32 ++++++++++++++++++++++++++++++++
 PKGBUILD            |    8 +++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

Added: CVE-2015-2141.patch
===================================================================
--- CVE-2015-2141.patch                         (rev 0)
+++ CVE-2015-2141.patch 2015-07-24 11:57:33 UTC (rev 242478)
@@ -0,0 +1,32 @@
+From 9425e16437439e68c7d96abef922167d68fafaff Mon Sep 17 00:00:00 2001
+From: Jeffrey Walton <noloa...@gmail.com>
+Date: Sat, 27 Jun 2015 17:56:01 -0400
+Subject: [PATCH] Fix for CVE-2015-2141. Thanks to Evgeny Sidorov for
+ reporting. Squaring to satisfy Jacobi requirements suggested by JPM.
+
+---
+ rw.cpp | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/rw.cpp b/rw.cpp
+index cdd9f2d..0b9318b 100644
+--- a/rw.cpp
++++ b/rw.cpp
+@@ -126,10 +126,16 @@ Integer 
InvertibleRWFunction::CalculateInverse(RandomNumberGenerator &rng, const
+       DoQuickSanityCheck();
+       ModularArithmetic modn(m_n);
+       Integer r, rInv;
+-      do {    // do this in a loop for people using small numbers for testing
++
++      // do this in a loop for people using small numbers for testing
++      do {
+               r.Randomize(rng, Integer::One(), m_n - Integer::One());
++              // Fix for CVE-2015-2141. Thanks to Evgeny Sidorov for 
reporting.
++              // Squaring to satisfy Jacobi requirements suggested by JPM.
++              r = modn.Square(r);
+               rInv = modn.MultiplicativeInverse(r);
+       } while (rInv.IsZero());
++
+       Integer re = modn.Square(r);
+       re = modn.Multiply(re, x);                      // blind
+ 

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2015-07-24 06:56:26 UTC (rev 242477)
+++ PKGBUILD    2015-07-24 11:57:33 UTC (rev 242478)
@@ -8,7 +8,7 @@
 pkgname=crypto++
 pkgver=5.6.2
 _srcver=562
-pkgrel=2
+pkgrel=3
 pkgdesc="A free C++ class library of cryptographic schemes"
 arch=('i686' 'x86_64')
 url="http://www.cryptopp.com/";
@@ -16,10 +16,16 @@
 depends=('gcc-libs')
 makedepends=('unzip')
 source=("http://www.cryptopp.com/cryptopp${_srcver}.zip";
+       'CVE-2015-2141.patch'
         'libcrypto++.pc')
 md5sums=('7ed022585698df48e65ce9218f6c6a67'
+         '7ff9a215b9244b4f8a17c7185e27beda'
          '46de3847c59ad16456fa863eb33e73b2')
 
+prepare() {
+  patch -p1 -i ${srcdir}/CVE-2015-2141.patch
+}
+
 build() {
   sed -i -e 's/^CXXFLAGS/#CXXFLAGS/' GNUmakefile
   export CXXFLAGS="${CXXFLAGS} -DNDEBUG -fPIC"