From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/botan: add upstream security fix for CVE-2021-40529
Date: Sat, 18 Sep 2021 19:45:48 +0200 [thread overview]
Message-ID: <20210918174548.GG1053080@scaer> (raw)
In-Reply-To: <20210918164248.20023-1-peter@korsgaard.com>
Peter, All,
On 2021-09-18 18:42 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issue:
>
> - CVE-2021-40529: The ElGamal implementation in Botan through 2.18.1, as
> used in Thunderbird and other products, allows plaintext recovery because,
> during interaction between two cryptographic libraries, a certain
> dangerous combination of the prime defined by the receiver's public key,
> the generator defined by the receiver's public key, and the sender's
> ephemeral exponents can lead to a cross-configuration attack against
> OpenPGP
>
> For more details, see the upstream bug and issue writeup:
> - https://github.com/randombit/botan/pull/2790
> - https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Note: I haven't received the mail for the erlang patch yet, so I can't
reply to it; consider it applied to master anyway, thanks.
Regards,
Yann E. MORIN.
> ---
> ...d-using-short-exponents-with-ElGamal.patch | 38 +++++++++++++++++++
> package/botan/botan.mk | 3 ++
> 2 files changed, 41 insertions(+)
> create mode 100644 package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch
>
> diff --git a/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch
> new file mode 100644
> index 0000000000..e2570cd5ff
> --- /dev/null
> +++ b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch
> @@ -0,0 +1,38 @@
> +From 9a23e4e3bc3966340531f2ff608fa9d33b5185a2 Mon Sep 17 00:00:00 2001
> +From: Jack Lloyd <jack@randombit.net>
> +Date: Tue, 3 Aug 2021 18:20:29 -0400
> +Subject: [PATCH] Avoid using short exponents with ElGamal
> +
> +Some off-brand PGP implementation generates keys where p - 1 is
> +smooth, as a result short exponents can leak enough information about
> +k to allow decryption.
> +
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +[Peter: Drop tests, CVE-2021-40529]
> +---
> + src/lib/pubkey/elgamal/elgamal.cpp | 8 +++-
> + 1 file changed, 1 insertions(+), 1 deletions(-)
> +
> +diff --git a/src/lib/pubkey/elgamal/elgamal.cpp b/src/lib/pubkey/elgamal/elgamal.cpp
> +index b3ec6df2c..0e33c2ca5 100644
> +--- a/src/lib/pubkey/elgamal/elgamal.cpp
> ++++ b/src/lib/pubkey/elgamal/elgamal.cpp
> +@@ -113,8 +113,12 @@ ElGamal_Encryption_Operation::raw_encrypt(const uint8_t msg[], size_t msg_len,
> + if(m >= m_group.get_p())
> + throw Invalid_Argument("ElGamal encryption: Input is too large");
> +
> +- const size_t k_bits = m_group.exponent_bits();
> +- const BigInt k(rng, k_bits);
> ++ /*
> ++ Some ElGamal implementations foolishly use prime fields where p - 1 is
> ++ smooth, as a result it is unsafe to use short exponents.
> ++ */
> ++ const size_t k_bits = m_group.p_bits() - 1;
> ++ const BigInt k(rng, k_bits, false);
> +
> + const BigInt a = m_group.power_g_p(k, k_bits);
> + const BigInt b = m_group.multiply_mod_p(m, monty_execute(*m_monty_y_p, k, k_bits));
> +-
> +--
> +2.20.1
> +
> diff --git a/package/botan/botan.mk b/package/botan/botan.mk
> index c23aba99dd..0ac528c990 100644
> --- a/package/botan/botan.mk
> +++ b/package/botan/botan.mk
> @@ -11,6 +11,9 @@ BOTAN_LICENSE = BSD-2-Clause
> BOTAN_LICENSE_FILES = license.txt
> BOTAN_CPE_ID_VENDOR = botan_project
>
> +# 0001-Avoid-using-short-exponents-with-ElGamal.patch
> +BOTAN_IGNORE_CVES += CVE-2021-40529
> +
> BOTAN_INSTALL_STAGING = YES
>
> BOTAN_CONF_OPTS = \
> --
> 2.20.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@lists.buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2021-09-18 17:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-18 16:42 [Buildroot] [PATCH] package/botan: add upstream security fix for CVE-2021-40529 Peter Korsgaard
2021-09-18 17:45 ` Yann E. MORIN [this message]
2021-09-29 18:08 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210918174548.GG1053080@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=peter@korsgaard.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.