[Buildroot] [PATCH] package/botan: add patch for CVE-2024-50382 & CVE-2024-50383

* [Buildroot] [PATCH] package/botan: add patch for CVE-2024-50382 & CVE-2024-50383
@ 2026-02-27  8:44 Thomas Perale via buildroot
  2026-02-27 18:13 ` Julien Olivain via buildroot
  2026-03-06 19:53 ` Thomas Perale via buildroot
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-02-27  8:44 UTC (permalink / raw)
  To: buildroot

Fixes the following vulnerabilities:

- CVE-2024-50382:
    Botan before 3.6.0, when certain LLVM versions are used, has compiler-
    induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in
    GHASH in AES-GCM. There is a branch instead of an XOR with carry. This
    was observed for Clang in LLVM 15 on RISC-V.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2024-50382
  - https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957

- CVE-2024-50383:
    Botan before 3.6.0, when certain GCC versions are used, has a
    compiler-induced secret-dependent operation in lib/utils/donna128.h in
    donna128 (used in Chacha-Poly1305 and x25519). An addition can be
    skipped if a carry is not set. This was observed for GCC 11.3.0 with
    -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be
    affected.)

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2024-50383
  - https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...avoid-compiler-induced-side-channels.patch | 65 +++++++++++++++++++
 package/botan/botan.mk                        |  3 +
 2 files changed, 68 insertions(+)
 create mode 100644 package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch

diff --git a/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch b/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
new file mode 100644
index 0000000000..22f64be1b9
--- /dev/null
+++ b/package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
@@ -0,0 +1,65 @@
+From 53b0cfde580e86b03d0d27a488b6c134f662e957 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack@randombit.net>
+Date: Sat, 19 Oct 2024 07:43:18 -0400
+Subject: [PATCH] Add more value barriers to avoid compiler induced side
+ channels
+
+The paper https://arxiv.org/pdf/2410.13489 claims that on specific
+architectures Clang and GCC may introduce jumps here. The donna128
+issues only affect 32-bit processors, which explains why we would not
+see it in the x86-64 valgrind runs.
+
+The GHASH leak would seem to be generic but the authors only observed
+it on RISC-V.
+
+CVE: CVE-2024-50382
+CVE: CVE-2024-50383
+Upstream: https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/lib/utils/donna128.h      | 5 +++--
+ src/lib/utils/ghash/ghash.cpp | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h
+index 8212bd349e0..7adf54546df 100644
+--- a/src/lib/utils/donna128.h
++++ b/src/lib/utils/donna128.h
+@@ -8,6 +8,7 @@
+ #ifndef BOTAN_CURVE25519_DONNA128_H_
+ #define BOTAN_CURVE25519_DONNA128_H_
+ 
++#include <botan/internal/ct_utils.h>
+ #include <botan/internal/mul128.h>
+ #include <type_traits>
+ 
+@@ -73,14 +74,14 @@ class donna128 final {
+          l += x.l;
+          h += x.h;
+ 
+-         const uint64_t carry = (l < x.l);
++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x.l).if_set_return(1);
+          h += carry;
+          return *this;
+       }
+ 
+       constexpr donna128& operator+=(uint64_t x) {
+          l += x;
+-         const uint64_t carry = (l < x);
++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x).if_set_return(1);
+          h += carry;
+          return *this;
+       }
+diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp
+index 8c3b1ed6c2a..61b28590002 100644
+--- a/src/lib/utils/ghash/ghash.cpp
++++ b/src/lib/utils/ghash/ghash.cpp
+@@ -131,7 +131,7 @@ void GHASH::key_schedule(std::span<const uint8_t> key) {
+          m_HM[4 * j + 2 * i + 1] = H1;
+ 
+          // GCM's bit ops are reversed so we carry out of the bottom
+-         const uint64_t carry = R * (H1 & 1);
++         const uint64_t carry = CT::Mask<uint64_t>::expand(H1 & 1).if_set_return(R);
+          H1 = (H1 >> 1) | (H0 << 63);
+          H0 = (H0 >> 1) ^ carry;
+       }
diff --git a/package/botan/botan.mk b/package/botan/botan.mk
index 561e7bf702..38948f0184 100644
--- a/package/botan/botan.mk
+++ b/package/botan/botan.mk
@@ -11,6 +11,9 @@ BOTAN_LICENSE = BSD-2-Clause
 BOTAN_LICENSE_FILES = license.txt
 BOTAN_CPE_ID_VALID = YES
 
+# 0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
+BOTAN_IGNORE_CVES += CVE-2024-50382 CVE-2024-50383
+
 BOTAN_INSTALL_STAGING = YES
 
 BOTAN_DEPENDENCIES = host-python3
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread