Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libcryptopp for openSUSE:Factory checked in at 2026-01-14 16:24:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcryptopp (Old) and /work/SRC/openSUSE:Factory/.libcryptopp.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcryptopp" Wed Jan 14 16:24:29 2026 rev:44 rq:1327180 version:8.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libcryptopp/libcryptopp.changes 2025-10-24 17:25:27.712529005 +0200 +++ /work/SRC/openSUSE:Factory/.libcryptopp.new.1928/libcryptopp.changes 2026-01-14 16:24:56.721583970 +0100 @@ -1,0 +2,8 @@ +Wed Jan 14 09:08:04 UTC 2026 - Angel Yankov <[email protected]> + +- Security fix [bsc#1218217, CVE-2023-50979] + * Fix side-channel leakage during decryption with PKCS#1v1.5 padding + * Added patch libcryptopp-CVE-2023-50979.patch + * https://github.com/Coralesoft/cryptopp/commit/0923d82f5c3ac8cf6c99108be2ad9260f2a61f6c + +------------------------------------------------------------------- New: ---- libcryptopp-CVE-2023-50979.patch ----------(New B)---------- New: * Fix side-channel leakage during decryption with PKCS#1v1.5 padding * Added patch libcryptopp-CVE-2023-50979.patch * https://github.com/Coralesoft/cryptopp/commit/0923d82f5c3ac8cf6c99108be2ad9260f2a61f6c ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcryptopp.spec ++++++ --- /var/tmp/diff_new_pack.lOk4Cv/_old 2026-01-14 16:24:57.901633296 +0100 +++ /var/tmp/diff_new_pack.lOk4Cv/_new 2026-01-14 16:24:57.901633296 +0100 @@ -1,7 +1,7 @@ # # spec file for package libcryptopp # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -59,6 +59,8 @@ Patch3: libcryptopp-CVE-2023-50981.patch # PATCH-FIX-SUSE: [bsc#1224280] CVE-2024-28285 potential leak of secret key of ElGamal encryption via fault injection Patch4: libcryptopp-CVE-2024-28285.patch +# PATCH-FIX-UPSTREAM: [bsc#1218217, CVE-2023-50979] side-channel leakage during decryption with PKCS#1v1.5 padding (marvin ) +Patch5: libcryptopp-CVE-2023-50979.patch BuildRequires: dos2unix BuildRequires: gcc-c++ BuildRequires: pkgconfig ++++++ libcryptopp-CVE-2023-50979.patch ++++++ >From 0923d82f5c3ac8cf6c99108be2ad9260f2a61f6c Mon Sep 17 00:00:00 2001 From: CoraleSoft <[email protected]> Date: Sun, 26 Oct 2025 17:43:39 +1300 Subject: [PATCH] Fix timing attack in PKCS1v15 padding validation Replaces variable-time separator search with constant-time implementation to mitigate Marvin Attack (CVE-2022-4304). Uses bitwise operations to avoid data-dependent timing leaks. Fixes three timing vulnerabilities: - Variable-time while loop - Early return on invalid padding - Variable-length memcpy operation Fixes #1247 --- pkcspad.cpp | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/pkcspad.cpp b/pkcspad.cpp index 7f5cd2099..456e52015 100644 --- a/pkcspad.cpp +++ b/pkcspad.cpp @@ -100,20 +100,40 @@ DecodingResult PKCS_EncryptionPaddingScheme::Unpad(const byte *pkcsBlock, size_t // Require block type 2. invalid = (pkcsBlock[0] != 2) || invalid; - // skip past the padding until we find the separator - size_t i=1; - while (i<pkcsBlockLen && pkcsBlock[i++]) { // null body - } + // Constant-time separator search to mitigate timing attacks (Marvin Attack, CVE-2022-4304) + // Scan every byte to find first zero separator without variable-time loop termination + size_t separatorIndex = 0; + size_t foundSeparator = 0; + + for (size_t j = 1; j < pkcsBlockLen; j++) + { + // Check if current byte is zero (separator) + size_t isZero = (pkcsBlock[j] == 0) ? 1 : 0; + size_t notFoundYet = 1 - foundSeparator; + + // Constant-time conditional: record position using bitwise ops + // Equivalent to: if (isZero && notFoundYet) separatorIndex = j; + size_t mask = -(isZero & notFoundYet); // all 1s if true, all 0s if false + separatorIndex = (separatorIndex & ~mask) | (j & mask); + + // Mark that we found a separator + foundSeparator |= isZero; + } + + // Position after the separator + size_t i = separatorIndex + 1; CRYPTOPP_ASSERT(i==pkcsBlockLen || pkcsBlock[i-1]==0); size_t outputLen = pkcsBlockLen - i; invalid = (outputLen > maxOutputLen) || invalid; + invalid = (foundSeparator == 0) || invalid; // No separator found - if (invalid) - return DecodingResult(); - + // Always perform memcpy to avoid timing leak from early return + // This ensures both valid and invalid padding take the same code path std::memcpy (output, pkcsBlock+i, outputLen); - return DecodingResult(outputLen); + + // Return error on invalid padding, otherwise return decoded length + return invalid ? DecodingResult() : DecodingResult(outputLen); } // ********************************************************
