Dear gnupg maintainers, I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on https://dev.gnupg.org/D438 I backported what I deemed are the necessary patches. Does this look sane?
I'd be great if you could have a look at the attached debdiff. If this looks sane I'm happy to port over things to as the patches should apply to this version as well. Cheers, -- Guido
diff --git a/debian/changelog b/debian/changelog index adf00944..d6848d64 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +gnupg (1.4.12-7+deb7u9) wheezy-security; urgency=medium + + * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch + + -- Guido Günther <[email protected]> Mon, 28 Aug 2017 11:59:38 +0200 + gnupg (1.4.12-7+deb7u8) wheezy-security; urgency=high * Non-maintainer upload by the Debian LTS Team. diff --git a/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch new file mode 100644 index 00000000..9c98ca5f --- /dev/null +++ b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch @@ -0,0 +1,71 @@ +From: Marcus Brinkmann <[email protected]> +Date: Fri, 7 Jul 2017 21:03:10 +0900 +Subject: CVE-2017-7526: rsa: Add exponent blinding. + +* cipher/rsa.c (secret_core_crt): Blind secret D with randomized +nonce R for mpi_powm computation. + +-- + +Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce. + +Signed-off-by: Marcus Brinkmann <[email protected]> +--- + cipher/rsa.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index c4d5161..78a6f87 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -29,6 +29,7 @@ + #include <string.h> + #include "util.h" + #include "mpi.h" ++#include "../mpi/mpi-internal.h" + #include "cipher.h" + #include "rsa.h" + +@@ -325,14 +326,38 @@ secret(MPI output, MPI input, RSA_secret_key *skey ) + # endif /* USE_BLINDING */ + + /* RSA secret operation: */ +- /* m1 = c ^ (d mod (p-1)) mod p */ ++ MPI D_blind = mpi_alloc_secure (nlimbs); ++ MPI rr; ++ unsigned int rr_nbits; ++ ++ rr_nbits = mpi_get_nbits (skey->p) / 4; ++ if (rr_nbits < 96) ++ rr_nbits = 96; ++ rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); ++ ++ /* d_blind = (d mod (p-1)) + (p-1) * r */ ++ /* m1 = c ^ d_blind mod p */ ++ randomize_mpi (rr, rr_nbits, 0); ++ mpi_set_highbit (rr, rr_nbits - 1); + mpi_sub_ui( h, skey->p, 1 ); ++ mpi_mul ( D_blind, h, rr ); + mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m1, input, h, skey->p ); +- /* m2 = c ^ (d mod (q-1)) mod q */ ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm ( m1, input, D_blind, skey->p ); ++ ++ /* d_blind = (d mod (q-1)) + (q-1) * r */ ++ /* m2 = c ^ d_blind mod q */ ++ randomize_mpi (rr, rr_nbits, 0); ++ mpi_set_highbit (rr, rr_nbits - 1); + mpi_sub_ui( h, skey->q, 1 ); ++ mpi_mul ( D_blind, h, rr ); + mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m2, input, h, skey->q ); ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm ( m2, input, D_blind, skey->q ); ++ ++ mpi_free ( rr ); ++ mpi_free ( D_blind ); ++ + /* h = u * ( m2 - m1 ) mod q */ + mpi_sub( h, m2, m1 ); + if ( mpi_is_neg( h ) ) diff --git a/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch new file mode 100644 index 00000000..c66ad3dd --- /dev/null +++ b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch @@ -0,0 +1,53 @@ +From: NIIBE Yutaka <[email protected]> +Date: Fri, 7 Jul 2017 21:20:56 +0900 +Subject: CVE-2017-7526: rsa: Allow different build directory. + +* cipher/Makefile.am (AM_CPPFLAGS): Add mpi dirs. +* cipher/rsa.c: Change include file. + +Signed-off-by: NIIBE Yutaka <[email protected]> +--- + cipher/Makefile.am | 2 +- + cipher/Makefile.in | 2 +- + cipher/rsa.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/cipher/Makefile.am b/cipher/Makefile.am +index a10af20..92ffe90 100644 +--- a/cipher/Makefile.am ++++ b/cipher/Makefile.am +@@ -17,7 +17,7 @@ + # along with this program; if not, see <http://www.gnu.org/licenses/>. + ## Process this file with automake to produce Makefile.in + +-AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl ++AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl -I$(top_srcdir)/mpi -I../mpi + + if ! HAVE_DOSISH_SYSTEM + AM_CPPFLAGS += -DGNUPG_LIBDIR="\"$(libdir)/@PACKAGE@\"" +diff --git a/cipher/Makefile.in b/cipher/Makefile.in +index a2a3fd1..6238cbb 100644 +--- a/cipher/Makefile.in ++++ b/cipher/Makefile.in +@@ -299,7 +299,7 @@ target_alias = @target_alias@ + top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ +-AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl \ ++AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl -I$(top_srcdir)/mpi -I../mpi \ + $(am__append_1) + noinst_LIBRARIES = libcipher.a + libcipher_a_SOURCES = cipher.c pubkey.c md.c dynload.c bithelp.h des.c \ +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 78a6f87..f454992 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -29,7 +29,7 @@ + #include <string.h> + #include "util.h" + #include "mpi.h" +-#include "../mpi/mpi-internal.h" ++#include "mpi-internal.h" + #include "cipher.h" + #include "rsa.h" + diff --git a/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch new file mode 100644 index 00000000..b338c360 --- /dev/null +++ b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch @@ -0,0 +1,46 @@ +From: NIIBE Yutaka <[email protected]> +Date: Fri, 7 Jul 2017 21:51:42 +0900 +Subject: CVE-2017-7526: rsa: Reduce secmem pressure. + +* cipher/rsa.c (secret): Don't keep secmem. + +Signed-off-by: NIIBE Yutaka <[email protected]> +--- + cipher/rsa.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index f454992..5894713 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -341,22 +341,29 @@ secret(MPI output, MPI input, RSA_secret_key *skey ) + mpi_set_highbit (rr, rr_nbits - 1); + mpi_sub_ui( h, skey->p, 1 ); + mpi_mul ( D_blind, h, rr ); ++ mpi_free ( rr ); + mpi_fdiv_r( h, skey->d, h ); + mpi_add ( D_blind, D_blind, h ); ++ mpi_free ( h ); + mpi_powm ( m1, input, D_blind, skey->p ); + ++ h = mpi_alloc_secure (nlimbs); ++ rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); ++ + /* d_blind = (d mod (q-1)) + (q-1) * r */ + /* m2 = c ^ d_blind mod q */ + randomize_mpi (rr, rr_nbits, 0); + mpi_set_highbit (rr, rr_nbits - 1); + mpi_sub_ui( h, skey->q, 1 ); + mpi_mul ( D_blind, h, rr ); ++ mpi_free ( rr ); + mpi_fdiv_r( h, skey->d, h ); + mpi_add ( D_blind, D_blind, h ); ++ mpi_free ( h ); + mpi_powm ( m2, input, D_blind, skey->q ); + +- mpi_free ( rr ); + mpi_free ( D_blind ); ++ h = mpi_alloc_secure (nlimbs); + + /* h = u * ( m2 - m1 ) mod q */ + mpi_sub( h, m2, m1 ); diff --git a/debian/patches/series b/debian/patches/series index dc95e2c5..b81a7e5d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -17,3 +17,6 @@ CVE-2015-1606.patch 0001-g10-Fix-checking-key-for-signature-validation.patch 0046-cipher-Improve-readability-by-using-a-macro.patch 0047-random-Hash-continuous-areas-in-the-csprng-pool.patch +security/CVE-2017-7526-rsa-Add-exponent-blinding.patch +security/CVE-2017-7526-rsa-Allow-different-build-directory.patch +security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
