[PATCH 0/2] gnupg: two CVE patches

[PATCH 0/2] gnupg: two CVE patches

[jackie.huang]

From: Jackie Huang <jackie.huang@windriver.com>

The following changes since commit 43d717df16312a8f0333aff6b8b037b4b9d51bf3:

  toaster.bbclass: update buildstats event data (2014-03-25 14:19:57 +0000)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib jhuang0/r_port60_gnupg_140326-1
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=jhuang0/r_port60_gnupg_140326-1

Ming Liu (1):
  gnupg: CVE-2013-4351

Yong Zhang (1):
  gnupg: CVE-2013-4576

 .../gnupg/gnupg-1.4.7/CVE-2013-4351.patch          |   44 ++++++
 .../gnupg/gnupg-1.4.7/CVE-2013-4576.patch          |  153 ++++++++++++++++++++
 meta/recipes-support/gnupg/gnupg_1.4.7.bb          |    5 +-
 3 files changed, 201 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch

-- 
1.7.9.5

[PATCH 1/2] gnupg: CVE-2013-4351

[jackie.huang]

From: Ming Liu <ming.liu@windriver.com>

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits
cleared (no usage permitted) as if it has all bits set (all usage permitted),
which might allow remote attackers to bypass intended cryptographic protection
mechanisms by leveraging the subkey.

Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../gnupg/gnupg-1.4.7/CVE-2013-4351.patch          |   44 ++++++++++++++++++++
 meta/recipes-support/gnupg/gnupg_1.4.7.bb          |    4 +-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch

diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
new file mode 100644
index 0000000..b29ede4
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
@@ -0,0 +1,44 @@
+Upstream-Status: Backport
+
+Index: gnupg-1.4.7/g10/getkey.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/getkey.c	2007-03-05 16:54:41.000000000 +0800
++++ gnupg-1.4.7/g10/getkey.c	2013-11-28 14:41:59.640212240 +0800
+@@ -1454,7 +1454,11 @@
+ 
+       if(flags)
+ 	key_usage |= PUBKEY_USAGE_UNKNOWN;
++      if (!key_usage)
++	key_usage |= PUBKEY_USAGE_NONE;
+     }
++  else if (p)
++    key_usage |= PUBKEY_USAGE_NONE;
+ 
+   /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
+      capability that we do not handle.  This serves to distinguish
+Index: gnupg-1.4.7/g10/keygen.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/keygen.c	2007-02-05 00:27:40.000000000 +0800
++++ gnupg-1.4.7/g10/keygen.c	2013-11-28 14:43:05.016670092 +0800
+@@ -209,9 +209,6 @@
+     if (use & PUBKEY_USAGE_AUTH)
+         buf[0] |= 0x20;
+ 
+-    if (!buf[0]) 
+-        return;
+-
+     build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
+ }
+ 
+Index: gnupg-1.4.7/include/cipher.h
+===================================================================
+--- gnupg-1.4.7.orig/include/cipher.h	2006-04-21 20:39:49.000000000 +0800
++++ gnupg-1.4.7/include/cipher.h	2013-11-28 14:49:24.159322744 +0800
+@@ -52,6 +52,7 @@
+ #define PUBKEY_USAGE_CERT    4      /* key is also good to certify other keys*/
+ #define PUBKEY_USAGE_AUTH    8      /* key is good for authentication */
+ #define PUBKEY_USAGE_UNKNOWN 128    /* key has an unknown usage bit */
++#define PUBKEY_USAGE_NONE    256    /* No usage given. */
+ 
+ #define DIGEST_ALGO_MD5       1
+ #define DIGEST_ALGO_SHA1      2
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
index fcc5fba..83d8fab 100644
--- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -14,7 +14,9 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
            file://configure.patch \
            file://mips_gcc4.4.patch \
            file://GnuPG1-CVE-2012-6085.patch \
-           file://curl_typeof_fix_backport.patch"
+           file://curl_typeof_fix_backport.patch \
+           file://CVE-2013-4351.patch \
+	  "
 
 SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"
 SRC_URI[sha256sum] = "69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d"
-- 
1.7.9.5

[PATCH 2/2] gnupg: CVE-2013-4576

[jackie.huang]

From: Yong Zhang <yong.zhang@windriver.com>

GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions
with certain patterns that introduce a side channel, which allows physically
proximate attackers to extract RSA keys via a chosen-ciphertext attack and
acoustic cryptanalysis during decryption. NOTE: applications are not typically
expected to protect themselves from acoustic side-channel attacks, since this
is arguably the responsibility of the physical device. Accordingly, issues of
this type would not normally receive a CVE identifier. However, for this
issue, the developer has specified a security policy in which GnuPG should
offer side-channel resistance, and developer-specified security-policy
violations are within the scope of CVE.

Signed-off-by: Yong Zhang <yong.zhang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../gnupg/gnupg-1.4.7/CVE-2013-4576.patch          |  153 ++++++++++++++++++++
 meta/recipes-support/gnupg/gnupg_1.4.7.bb          |    1 +
 2 files changed, 154 insertions(+)
 create mode 100644 meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch

diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
new file mode 100644
index 0000000..b1a22f5
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
+Upstream-Status: Backport
+
+Index: gnupg-1.4.7/cipher/dsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/dsa.c	2006-12-12 02:27:21.000000000 +0800
++++ gnupg-1.4.7/cipher/dsa.c	2014-01-23 11:30:17.300915919 +0800
+@@ -287,6 +287,8 @@
+     MPI kinv;
+     MPI tmp;
+ 
++    mpi_normalize (hash);
++
+     /* select a random k with 0 < k < q */
+     k = gen_k( skey->q );
+ 
+Index: gnupg-1.4.7/cipher/elgamal.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/elgamal.c	2006-12-12 03:08:05.000000000 +0800
++++ gnupg-1.4.7/cipher/elgamal.c	2014-01-23 11:30:17.300915919 +0800
+@@ -376,6 +376,9 @@
+ {
+     MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
+ 
++    mpi_normalize (a);
++    mpi_normalize (b);
++
+     /* output = b/(a^x) mod p */
+     mpi_powm( t1, a, skey->x, skey->p );
+     mpi_invm( t1, t1, skey->p );
+Index: gnupg-1.4.7/cipher/random.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.c	2006-11-03 18:09:39.000000000 +0800
++++ gnupg-1.4.7/cipher/random.c	2014-01-23 11:31:53.993495462 +0800
+@@ -273,6 +273,18 @@
+ }
+ 
+ 
++/* Randomize the MPI */ 
++void
++randomize_mpi (MPI mpi, size_t nbits, int level)
++{
++  unsigned char *buffer;
++
++  buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
++  mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
++  xfree (buffer);
++}
++
++
+ int
+ random_is_faked()
+ {
+Index: gnupg-1.4.7/cipher/random.h
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.h	2006-02-09 19:29:29.000000000 +0800
++++ gnupg-1.4.7/cipher/random.h	2014-01-23 11:30:17.300915919 +0800
+@@ -32,6 +32,7 @@
+ int  random_is_faked(void);
+ void random_disable_locking (void);
+ void randomize_buffer( byte *buffer, size_t length, int level );
++void randomize_mpi (MPI mpi, size_t nbits, int level);
+ byte *get_random_bits( size_t nbits, int level, int secure );
+ void fast_random_poll( void );
+ 
+Index: gnupg-1.4.7/cipher/rsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/rsa.c	2006-12-12 03:09:00.000000000 +0800
++++ gnupg-1.4.7/cipher/rsa.c	2014-01-23 11:35:04.330639125 +0800
+@@ -301,9 +301,26 @@
+ #if 0
+     mpi_powm( output, input, skey->d, skey->n );
+ #else
+-    MPI m1   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI m2   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI h    = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
++    int nlimbs = mpi_get_nlimbs (skey->n)+1;
++    MPI m1   = mpi_alloc_secure (nlimbs);
++    MPI m2   = mpi_alloc_secure (nlimbs);
++    MPI h    = mpi_alloc_secure (nlimbs);
++# if 1
++    MPI bdata= mpi_alloc_secure (nlimbs);
++    MPI r    = mpi_alloc_secure (nlimbs);
++# endif
++
++    /* Remove superfluous leading zeroes from INPUT.  */
++    mpi_normalize (input);
++
++# if 1 
++    /* Blind:  bdata = (data * r^e) mod n   */
++    randomize_mpi (r, mpi_get_nbits (skey->n), 0);
++    mpi_fdiv_r (r, r, skey->n);
++    mpi_powm (bdata, r, skey->e, skey->n);
++    mpi_mulm (bdata, bdata, input, skey->n);
++    input = bdata;
++# endif
+ 
+     /* m1 = c ^ (d mod (p-1)) mod p */
+     mpi_sub_ui( h, skey->p, 1  );
+@@ -321,8 +338,15 @@
+     /* m = m2 + h * p */
+     mpi_mul ( h, h, skey->p );
+     mpi_add ( output, m1, h );
+-    /* ready */
+-    
++
++# if 1
++    mpi_free (bdata);
++    /* Unblind: output = (output * r^(-1)) mod n  */
++    mpi_invm (r, r, skey->n);
++    mpi_mulm (output, output, r, skey->n);
++    mpi_free (r);
++# endif
++
+     mpi_free ( h );
+     mpi_free ( m1 );
+     mpi_free ( m2 );
+@@ -397,6 +421,7 @@
+ rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
+ {
+     RSA_secret_key sk;
++    MPI input;
+ 
+     if( algo != 1 && algo != 2 )
+ 	return G10ERR_PUBKEY_ALGO;
+@@ -407,8 +432,14 @@
+     sk.p = skey[3];
+     sk.q = skey[4];
+     sk.u = skey[5];
+-    *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
+-    secret( *result, data[0], &sk );
++
++    /* Mitigates side-channel attacks (CVE-2013-4576).  */
++    input = mpi_alloc (0);
++    mpi_normalize (data[0]);
++    mpi_fdiv_r (input, data[0], sk.n);
++    *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
++    secret (*result, input, &sk);
++    mpi_free (input);
+     return 0;
+ }
+ 
+Index: gnupg-1.4.7/g10/gpgv.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/gpgv.c	2006-12-13 19:25:04.000000000 +0800
++++ gnupg-1.4.7/g10/gpgv.c	2014-01-23 11:30:17.300915919 +0800
+@@ -390,6 +390,7 @@
+ void random_dump_stats(void) {}
+ int quick_random_gen( int onoff ) { return -1;}
+ void randomize_buffer( byte *buffer, size_t length, int level ) {}
++void randomize_mpi (MPI mpi, size_t nbits, int level) {}
+ int random_is_faked() { return -1;}
+ byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
+ void set_random_seed_file( const char *name ) {}
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
index 83d8fab..e8f797d 100644
--- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
            file://GnuPG1-CVE-2012-6085.patch \
            file://curl_typeof_fix_backport.patch \
            file://CVE-2013-4351.patch \
+           file://CVE-2013-4576.patch \
 	  "
 
 SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"
-- 
1.7.9.5