From: Ankur Tyagi <[email protected]> Same patch fixes both vulnerabilities.
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-50382 https://nvd.nist.gov/vuln/detail/CVE-2024-50383 Signed-off-by: Ankur Tyagi <[email protected]> --- .../CVE-2024-50382-and-CVE-2024-50383.patch | 66 +++++++++++++++++++ meta-oe/recipes-crypto/botan/botan_3.2.0.bb | 1 + 2 files changed, 67 insertions(+) create mode 100644 meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch diff --git a/meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch b/meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch new file mode 100644 index 0000000000..d1b625f19b --- /dev/null +++ b/meta-oe/recipes-crypto/botan/botan/CVE-2024-50382-and-CVE-2024-50383.patch @@ -0,0 +1,66 @@ +From 157bf1cd6877e16084e910d68c1844ac73b4f6ff Mon Sep 17 00:00:00 2001 +From: Jack Lloyd <[email protected]> +Date: Sat, 19 Oct 2024 07:43:18 -0400 +Subject: [PATCH] Add more value barriers to avoid compiler induced side + channels + +The paper https://arxiv.org/pdf/2410.13489 claims that on specific +architectures Clang and GCC may introduce jumps here. The donna128 +issues only affect 32-bit processors, which explains why we would not +see it in the x86-64 valgrind runs. + +The GHASH leak would seem to be generic but the authors only observed +it on RISC-V. + +CVE: CVE-2024-50382 +CVE: CVE-2024-50383 +Upstream-Status: Backport [https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957] +(cherry picked from commit 53b0cfde580e86b03d0d27a488b6c134f662e957) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/lib/utils/donna128.h | 5 +++-- + src/lib/utils/ghash/ghash.cpp | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h +index f39f57f97..ab7fb4c83 100644 +--- a/src/lib/utils/donna128.h ++++ b/src/lib/utils/donna128.h +@@ -8,6 +8,7 @@ + #ifndef BOTAN_CURVE25519_DONNA128_H_ + #define BOTAN_CURVE25519_DONNA128_H_ + ++#include <botan/internal/ct_utils.h> + #include <botan/internal/mul128.h> + + namespace Botan { +@@ -54,14 +55,14 @@ class donna128 final { + l += x.l; + h += x.h; + +- const uint64_t carry = (l < x.l); ++ const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x.l).if_set_return(1); + h += carry; + return *this; + } + + donna128& operator+=(uint64_t x) { + l += x; +- const uint64_t carry = (l < x); ++ const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x).if_set_return(1); + h += carry; + return *this; + } +diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp +index 38604afdb..5c244b4f8 100644 +--- a/src/lib/utils/ghash/ghash.cpp ++++ b/src/lib/utils/ghash/ghash.cpp +@@ -129,7 +129,7 @@ void GHASH::key_schedule(std::span<const uint8_t> key) { + m_HM[4 * j + 2 * i + 1] = H1; + + // GCM's bit ops are reversed so we carry out of the bottom +- const uint64_t carry = R * (H1 & 1); ++ const uint64_t carry = CT::Mask<uint64_t>::expand(H1 & 1).if_set_return(R); + H1 = (H1 >> 1) | (H0 << 63); + H0 = (H0 >> 1) ^ carry; + } diff --git a/meta-oe/recipes-crypto/botan/botan_3.2.0.bb b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb index 3c603a9b26..ef3e63a93b 100644 --- a/meta-oe/recipes-crypto/botan/botan_3.2.0.bb +++ b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb @@ -6,6 +6,7 @@ SECTION = "libs" SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz \ file://CVE-2024-34703.patch \ + file://CVE-2024-50382-and-CVE-2024-50383.patch \ " SRC_URI[sha256sum] = "049c847835fcf6ef3a9e206b33de05dd38999c325e247482772a5598d9e5ece3"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121853): https://lists.openembedded.org/g/openembedded-devel/message/121853 Mute This Topic: https://lists.openembedded.org/mt/116354278/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
