diff -Nru gnupg-1.4.20/debian/changelog gnupg-1.4.20/debian/changelog --- gnupg-1.4.20/debian/changelog 2016-02-12 12:19:57.000000000 +0000 +++ gnupg-1.4.20/debian/changelog 2022-06-30 15:15:54.000000000 +0000 @@ -1,3 +1,44 @@ +gnupg (1.4.20-1ubuntu3.3+ppa1) xenial; urgency=medium + + * Backport https://dev.gnupg.org/rG34c649b3601383cd11dbc76221747ec16fd68e1b + to fix signature injection. + + -- William Grant Fri, 01 Jul 2022 01:15:54 +1000 + +gnupg (1.4.20-1ubuntu3.3) xenial-security; urgency=medium + + * SECURITY UPDATE: full RSA key recovery via side-channel attack + - debian/patches/CVE-2017-7526-1.patch: simplify loop in mpi/mpi-pow.c. + - debian/patches/CVE-2017-7526-2.patch: use same computation for square + and multiply in mpi/mpi-pow.c. + - debian/patches/CVE-2017-7526-3.patch: fix allocation size for mpi_pow + - debian/patches/CVE-2017-7526-4.patch: add exponent blinding in + cipher/rsa.c. + - debian/patches/CVE-2017-7526-5.patch: allow different build directory + - CVE-2017-7526 + + -- Alex Murray Mon, 06 Aug 2018 09:59:18 +0930 + +gnupg (1.4.20-1ubuntu3.2) xenial-security; urgency=medium + + * SECURITY UPDATE: missing sanitization of verbose output + - debian/patches/CVE-2018-12020.patch: Sanitize diagnostic with + the original file name. + - CVE-2018-12020 + + -- Steve Beattie Fri, 08 Jun 2018 15:53:57 -0700 + +gnupg (1.4.20-1ubuntu3.1) xenial-security; urgency=medium + + * SECURITY UPDATE: random number generator prediction + - debian/patches/CVE-2016-6313-1.patch: improve readability by using a + macro in cipher/random.c. + - debian/patches/CVE-2016-6313-2.patch: hash continuous areas in the + csprng pool in cipher/random.c. + - CVE-2016-6313 + + -- Marc Deslauriers Wed, 17 Aug 2016 13:35:22 -0400 + gnupg (1.4.20-1ubuntu3) xenial; urgency=medium * debian/patches/lp1541925.patch: switch to final upstream commit. diff -Nru gnupg-1.4.20/debian/patches/CVE-2016-6313-1.patch gnupg-1.4.20/debian/patches/CVE-2016-6313-1.patch --- gnupg-1.4.20/debian/patches/CVE-2016-6313-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2016-6313-1.patch 2016-08-17 17:35:15.000000000 +0000 @@ -0,0 +1,37 @@ +From e23eec8c9a602eee0a09851a54db0f5d611f125c Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 17 Aug 2016 11:03:07 +0200 +Subject: [PATCH] cipher: Improve readability by using a macro. + +* cipher/random.c (mix_pool): Use DIGESTLEN instead of 20. + +Signed-off-by: Werner Koch +--- + cipher/random.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cipher/random.c b/cipher/random.c +index 7549517..be2f51a 100644 +--- a/cipher/random.c ++++ b/cipher/random.c +@@ -365,7 +365,7 @@ mix_pool(byte *pool) + memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN ); + memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); + rmd160_mixblock( &md, hashbuf); +- memcpy(pool, hashbuf, 20 ); ++ memcpy(pool, hashbuf, DIGESTLEN); + + p = pool; + for( n=1; n < POOLBLOCKS; n++ ) { +@@ -384,7 +384,7 @@ mix_pool(byte *pool) + } + + rmd160_mixblock( &md, hashbuf); +- memcpy(p, hashbuf, 20 ); ++ memcpy(p, hashbuf, DIGESTLEN); + } + burn_stack (384); /* for the rmd160_mixblock() */ + } +-- +2.8.0.rc3 + diff -Nru gnupg-1.4.20/debian/patches/CVE-2016-6313-2.patch gnupg-1.4.20/debian/patches/CVE-2016-6313-2.patch --- gnupg-1.4.20/debian/patches/CVE-2016-6313-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2016-6313-2.patch 2016-08-17 17:35:18.000000000 +0000 @@ -0,0 +1,87 @@ +From c6dbfe89903d0c8191cf50ecf1abb3c8458b427a Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 17 Aug 2016 11:15:50 +0200 +Subject: [PATCH] random: Hash continuous areas in the csprng pool. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +* cipher/random.c (mix_pool): Store the first hash at the end of the +pool. +-- + +This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG. +An attacker who obtains 580 bytes of the random number from the +standard RNG can trivially predict the next 20 bytes of output. + +This bug does not affect the default generation of +keys because running gpg for key creation creates at most 2 keys from +the pool: For a single 4096 bit RSA key 512 byte of random are +required and thus for the second key (encryption subkey), 20 bytes +could be predicted from the the first key. However, the security of +an OpenPGP key depends on the primary key (which was generated first) +and thus the 20 predictable bytes should not be a problem. For the +default key length of 2048 bit nothing will be predictable. + +For the former default of DSA+Elgamal key it is complicate to give an +answer: For 2048 bit keys a pool of 30 non-secret candidate primes of +about 300 bits each are first created. This reads at least 1140 bytes +from the pool and thus parts could be predicted. At some point a 256 +bit secret is read from the pool; which in the worst case might be +partly predictable. + +The bug was found and reported by Felix Dörre and Vladimir Klebanov, +Karlsruhe Institute of Technology. A paper describing the problem in +detail will shortly be published. + +CVE-id: CVE-2016-6313 +Signed-off-by: Werner Koch +--- + cipher/random.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/cipher/random.c b/cipher/random.c +index be2f51a..5f7de51 100644 +--- a/cipher/random.c ++++ b/cipher/random.c +@@ -360,23 +360,21 @@ mix_pool(byte *pool) + #if DIGESTLEN != 20 + #error must have a digest length of 20 for ripe-md-160 + #endif +- /* loop over the pool */ ++ /* pool -> pool' */ + pend = pool + POOLSIZE; + memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN ); + memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); + rmd160_mixblock( &md, hashbuf); + memcpy(pool, hashbuf, DIGESTLEN); + ++ /* Loop for the remaining iterations. */ + p = pool; + for( n=1; n < POOLBLOCKS; n++ ) { +- memcpy(hashbuf, p, DIGESTLEN ); +- +- p += DIGESTLEN; +- if( p+DIGESTLEN+BLOCKLEN < pend ) +- memcpy(hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN); ++ if( p + BLOCKLEN < pend ) ++ memcpy(hashbuf, p, BLOCKLEN); + else { +- char *pp = p+DIGESTLEN; +- for(i=DIGESTLEN; i < BLOCKLEN; i++ ) { ++ char *pp = p; ++ for(i=0; i < BLOCKLEN; i++ ) { + if( pp >= pend ) + pp = pool; + hashbuf[i] = *pp++; +@@ -384,6 +382,7 @@ mix_pool(byte *pool) + } + + rmd160_mixblock( &md, hashbuf); ++ p += DIGESTLEN; + memcpy(p, hashbuf, DIGESTLEN); + } + burn_stack (384); /* for the rmd160_mixblock() */ +-- +2.8.0.rc3 + diff -Nru gnupg-1.4.20/debian/patches/CVE-2017-7526-1.patch gnupg-1.4.20/debian/patches/CVE-2017-7526-1.patch --- gnupg-1.4.20/debian/patches/CVE-2017-7526-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2017-7526-1.patch 2018-08-06 00:29:54.000000000 +0000 @@ -0,0 +1,170 @@ +From b38f4489f75e6e435886aa885807738a22c7ff60 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 7 Jul 2017 14:26:39 +0900 +Subject: [PATCH] mpi: Simplify mpi_powm. + +* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop. + +-- + +(backport of libgcrypt master commit: + 719468e53133d3bdf12156c5bfdea2bf15f9f6f1) + +Signed-off-by: NIIBE Yutaka +--- + mpi/mpi-pow.c | 103 +++++++++++++++++----------------------------------------- + 1 file changed, 30 insertions(+), 73 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index 7f23a5a..76ddf95 100644 +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -564,12 +564,8 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + if (e == 0) + { + j += c; +- i--; +- if ( i < 0 ) +- { +- c = 0; +- break; +- } ++ if ( --i < 0 ) ++ break; + + e = ep[i]; + c = BITS_PER_MPI_LIMB; +@@ -584,38 +580,33 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + c -= c0; + j += c0; + ++ e0 = (e >> (BITS_PER_MPI_LIMB - W)); + if (c >= W) +- { +- e0 = (e >> (BITS_PER_MPI_LIMB - W)); +- e = (e << W); +- c -= W; +- } ++ c0 =0; + else + { +- i--; +- if ( i < 0 ) ++ if ( --i < 0 ) + { +- e = (e >> (BITS_PER_MPI_LIMB - c)); +- break; ++ e0 = (e >> (BITS_PER_MPI_LIMB - c)); ++ j += c - W; ++ goto last_step; + } +- +- c0 = c; +- e0 = (e >> (BITS_PER_MPI_LIMB - W)) +- | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0)); +- e = (ep[i] << (W - c0)); +- c = BITS_PER_MPI_LIMB - W + c0; ++ else ++ { ++ c0 = c; ++ e = ep[i]; ++ c = BITS_PER_MPI_LIMB; ++ e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0))); ++ } + } + ++ e = e << (W - c0); ++ c -= (W - c0); ++ ++ last_step: + count_trailing_zeros (c0, e0); + e0 = (e0 >> c0) >> 1; + +- for (j += W - c0; j; j--) +- { +- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- } +- + /* + * base_u <= precomp[e0] + * base_u_size <= precomp_size[e0]; +@@ -634,24 +625,22 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + u.d = precomp[k]; + + mpi_set_cond (&w, &u, k == e0); +- base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); ++ base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); ++ } ++ for (j += W - c0; j >= 0; j--) ++ { ++ mul_mod (xp, &xsize, rp, rsize, ++ j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, ++ mp, msize, &karactx); ++ tp = rp; rp = xp; xp = tp; ++ rsize = xsize; + } +- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +- mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; + + j = c0; ++ if ( i < 0 ) ++ break; + } + +- if (c != 0) +- { +- j += c; +- count_trailing_zeros (c, e); +- e = (e >> c); +- j -= c; +- } +- + while (j--) + { + mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +@@ -659,38 +648,6 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + rsize = xsize; + } + +- if (e != 0) +- { +- base_u_size = 0; +- for (k = 0; k < (1<< (W - 1)); k++) +- { +- struct gcry_mpi w, u; +- w.alloced = w.nlimbs = precomp_size[k]; +- u.alloced = u.nlimbs = precomp_size[k]; +- w.nbits = w.nlimbs * BITS_PER_MPI_LIMB; +- u.nbits = u.nlimbs * BITS_PER_MPI_LIMB; +- w.sign = u.sign = 0; +- w.flags = u.flags = 0; +- w.d = base_u; +- u.d = precomp[k]; +- +- mpi_set_cond (&w, &u, k == (e>>1)); +- base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); +- } +- +- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +- mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- +- for (; c; c--) +- { +- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- } +- } +- + /* We shifted MOD, the modulo reduction argument, left + MOD_SHIFT_CNT steps. Adjust the result by reducing it with the + original MOD. +-- +2.8.0.rc3 + diff -Nru gnupg-1.4.20/debian/patches/CVE-2017-7526-2.patch gnupg-1.4.20/debian/patches/CVE-2017-7526-2.patch --- gnupg-1.4.20/debian/patches/CVE-2017-7526-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2017-7526-2.patch 2018-08-06 00:30:00.000000000 +0000 @@ -0,0 +1,166 @@ +From 12029f83fd0ab3e8ad524f6c9135854662fddfd1 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 7 Jul 2017 14:38:19 +0900 +Subject: [PATCH] mpi: Same computation for square and multiply for mpi_pow. + +* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move +the assignment to base_u into the loop. Copy content refered by RP to +BASE_U except the last of the loop. + +-- + +Signed-off-by: NIIBE Yutaka + +(backport commit of libgcrypt master: +78130828e9a140a9de4dafadbc844dbb64cb709a) +--- + mpi/mpi-pow.c | 72 +++++++++++++++++++++++++++++++---------------------------- + 1 file changed, 38 insertions(+), 34 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index 76ddf95..acddca9 100644 +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -387,6 +387,9 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + size = 2 * msize; + msign = mod->sign; + ++ ep = expo->d; ++ MPN_NORMALIZE(ep, esize); ++ + if (esize * BITS_PER_MPI_LIMB > 512) + W = 5; + else if (esize * BITS_PER_MPI_LIMB > 256) +@@ -403,10 +406,9 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + bsec = mpi_is_secure(base); + + rp = res->d; +- ep = expo->d; + + if (!msize) +- msize = 1 / msize; /* provoke a signal */ ++ msize = 1 / msize; /* provoke a signal */ + + if (!esize) + { +@@ -463,7 +465,8 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + } + + +- /* Make BASE, EXPO and MOD not overlap with RES. */ ++ /* Make BASE, EXPO not overlap with RES. We don't need to check MOD ++ because that has already been copied to the MP var. */ + if ( rp == bp ) + { + /* RES and BASE are identical. Allocate temp. space for BASE. */ +@@ -477,13 +480,6 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + ep = ep_marker = mpi_alloc_limb_space( esize, esec ); + MPN_COPY(ep, rp, esize); + } +- if ( rp == mp ) +- { +- /* RES and MOD are identical. Allocate temporary space for MOD.*/ +- assert (!mp_marker); +- mp = mp_marker = mpi_alloc_limb_space( msize, msec ); +- MPN_COPY(mp, rp, msize); +- } + + /* Copy base to the result. */ + if (res->alloced < size) +@@ -529,7 +525,10 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + MPN_COPY (precomp[i], rp, rsize); + } + ++ if (msize > max_u_size) ++ max_u_size = msize; + base_u = mpi_alloc_limb_space (max_u_size, esec); ++ MPN_ZERO (base_u, max_u_size); + + i = esize - 1; + +@@ -574,6 +573,10 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + { + int c0; + mpi_limb_t e0; ++ struct gcry_mpi w, u; ++ w.sign = u.sign = 0; ++ w.flags = u.flags = 0; ++ w.d = base_u; + + count_leading_zeros (c0, e); + e = (e << c0); +@@ -582,7 +585,7 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + + e0 = (e >> (BITS_PER_MPI_LIMB - W)); + if (c >= W) +- c0 =0; ++ c0 = 0; + else + { + if ( --i < 0 ) +@@ -597,7 +600,7 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + e = ep[i]; + c = BITS_PER_MPI_LIMB; + e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0))); +- } ++ } + } + + e = e << (W - c0); +@@ -607,30 +610,31 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + count_trailing_zeros (c0, e0); + e0 = (e0 >> c0) >> 1; + +- /* +- * base_u <= precomp[e0] +- * base_u_size <= precomp_size[e0]; +- */ +- base_u_size = 0; +- for (k = 0; k < (1<< (W - 1)); k++) +- { +- struct gcry_mpi w, u; +- w.alloced = w.nlimbs = precomp_size[k]; +- u.alloced = u.nlimbs = precomp_size[k]; +- w.nbits = w.nlimbs * BITS_PER_MPI_LIMB; +- u.nbits = u.nlimbs * BITS_PER_MPI_LIMB; +- w.sign = u.sign = 0; +- w.flags = u.flags = 0; +- w.d = base_u; +- u.d = precomp[k]; +- +- mpi_set_cond (&w, &u, k == e0); +- base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); +- } + for (j += W - c0; j >= 0; j--) + { +- mul_mod (xp, &xsize, rp, rsize, +- j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, ++ ++ /* ++ * base_u <= precomp[e0] ++ * base_u_size <= precomp_size[e0] ++ */ ++ base_u_size = 0; ++ for (k = 0; k < (1<< (W - 1)); k++) ++ { ++ w.alloced = w.nlimbs = precomp_size[k]; ++ u.alloced = u.nlimbs = precomp_size[k]; ++ u.d = precomp[k]; ++ ++ mpi_set_cond (&w, &u, k == e0); ++ base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) ); ++ } ++ ++ w.alloced = w.nlimbs = rsize; ++ u.alloced = u.nlimbs = rsize; ++ u.d = rp; ++ mpi_set_cond (&w, &u, j != 0); ++ base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0))); ++ ++ mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, + mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; +-- +2.8.0.rc3 + diff -Nru gnupg-1.4.20/debian/patches/CVE-2017-7526-3.patch gnupg-1.4.20/debian/patches/CVE-2017-7526-3.patch --- gnupg-1.4.20/debian/patches/CVE-2017-7526-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2017-7526-3.patch 2018-08-06 00:30:06.000000000 +0000 @@ -0,0 +1,37 @@ +From 554ded4854758bf6ca268432fa087f946932a409 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 7 Jul 2017 15:12:00 +0900 +Subject: [PATCH] mpi: Minor fix for mpi_pow. + +* mpi/mpi-pow.c (mpi_powm): Fix allocation size. + +Signed-off-by: NIIBE Yutaka +--- + mpi/mpi-pow.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index acddca9..0078b84 100644 +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -162,7 +162,7 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod) + + { + mpi_size_t i; +- mpi_ptr_t xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); ++ mpi_ptr_t xp = xp_marker = mpi_alloc_limb_space( size, msec ); + int c; + mpi_limb_t e; + mpi_limb_t carry_limb; +@@ -499,7 +499,7 @@ mpi_powm (MPI res, MPI base, MPI expo, MPI mod) + struct karatsuba_ctx karactx; + mpi_ptr_t tp; + +- xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); ++ xp = xp_marker = mpi_alloc_limb_space( size, msec ); + + memset( &karactx, 0, sizeof karactx ); + negative_result = (ep[0] & 1) && bsign; +-- +2.8.0.rc3 + diff -Nru gnupg-1.4.20/debian/patches/CVE-2017-7526-4.patch gnupg-1.4.20/debian/patches/CVE-2017-7526-4.patch --- gnupg-1.4.20/debian/patches/CVE-2017-7526-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2017-7526-4.patch 2018-08-06 00:30:11.000000000 +0000 @@ -0,0 +1,75 @@ +From 8fd9f72e1b2e578e45c98c978cab4f6d47683d2c Mon Sep 17 00:00:00 2001 +From: Marcus Brinkmann +Date: Fri, 7 Jul 2017 21:03:10 +0900 +Subject: [PATCH] rsa: Add exponent blinding. + +* cipher/rsa.c (secret_core_crt): Blind secret D with randomized +nonce R for mpi_powm computation. + +-- + +Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce. + +Signed-off-by: Marcus Brinkmann +--- + cipher/rsa.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 5efab1d..5d7b4f7 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -29,6 +29,7 @@ + #include + #include "util.h" + #include "mpi.h" ++#include "../mpi/mpi-internal.h" + #include "cipher.h" + #include "rsa.h" + +@@ -325,14 +326,38 @@ secret(MPI output, MPI input, RSA_secret_key *skey ) + # endif /* USE_BLINDING */ + + /* RSA secret operation: */ +- /* m1 = c ^ (d mod (p-1)) mod p */ ++ MPI D_blind = mpi_alloc_secure (nlimbs); ++ MPI rr; ++ unsigned int rr_nbits; ++ ++ rr_nbits = mpi_get_nbits (skey->p) / 4; ++ if (rr_nbits < 96) ++ rr_nbits = 96; ++ rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); ++ ++ /* d_blind = (d mod (p-1)) + (p-1) * r */ ++ /* m1 = c ^ d_blind mod p */ ++ randomize_mpi (rr, rr_nbits, 0); ++ mpi_set_highbit (rr, rr_nbits - 1); + mpi_sub_ui( h, skey->p, 1 ); ++ mpi_mul ( D_blind, h, rr ); + mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m1, input, h, skey->p ); +- /* m2 = c ^ (d mod (q-1)) mod q */ ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm ( m1, input, D_blind, skey->p ); ++ ++ /* d_blind = (d mod (q-1)) + (q-1) * r */ ++ /* m2 = c ^ d_blind mod q */ ++ randomize_mpi (rr, rr_nbits, 0); ++ mpi_set_highbit (rr, rr_nbits - 1); + mpi_sub_ui( h, skey->q, 1 ); ++ mpi_mul ( D_blind, h, rr ); + mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m2, input, h, skey->q ); ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm ( m2, input, D_blind, skey->q ); ++ ++ mpi_free ( rr ); ++ mpi_free ( D_blind ); ++ + /* h = u * ( m2 - m1 ) mod q */ + mpi_sub( h, m2, m1 ); + if ( mpi_is_neg( h ) ) +-- +2.8.0.rc3 + diff -Nru gnupg-1.4.20/debian/patches/CVE-2017-7526-5.patch gnupg-1.4.20/debian/patches/CVE-2017-7526-5.patch --- gnupg-1.4.20/debian/patches/CVE-2017-7526-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2017-7526-5.patch 2018-08-06 00:30:16.000000000 +0000 @@ -0,0 +1,43 @@ +From 994d5b707559a800a650dc7f273372f509d74780 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 7 Jul 2017 21:20:56 +0900 +Subject: [PATCH] rsa: Allow different build directory. + +* cipher/Makefile.am (AM_CPPFLAGS): Add mpi dirs. +* cipher/rsa.c: Change include file. + +Signed-off-by: NIIBE Yutaka +--- + cipher/Makefile.am | 2 +- + cipher/rsa.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/cipher/Makefile.am b/cipher/Makefile.am +index 6b923b2..bd79fbc 100644 +--- a/cipher/Makefile.am ++++ b/cipher/Makefile.am +@@ -17,7 +17,7 @@ + # along with this program; if not, see . + ## Process this file with automake to produce Makefile.in + +-AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl ++AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl -I$(top_srcdir)/mpi -I../mpi + + if ! HAVE_DOSISH_SYSTEM + AM_CPPFLAGS += -DGNUPG_LIBDIR="\"$(libdir)/@PACKAGE@\"" +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 5d7b4f7..84a1af0 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -29,7 +29,7 @@ + #include + #include "util.h" + #include "mpi.h" +-#include "../mpi/mpi-internal.h" ++#include "mpi-internal.h" + #include "cipher.h" + #include "rsa.h" + +-- +2.8.0.rc3 + diff -Nru gnupg-1.4.20/debian/patches/CVE-2018-12020.patch gnupg-1.4.20/debian/patches/CVE-2018-12020.patch --- gnupg-1.4.20/debian/patches/CVE-2018-12020.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/CVE-2018-12020.patch 2018-06-08 22:51:10.000000000 +0000 @@ -0,0 +1,41 @@ +From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Fri, 8 Jun 2018 10:45:21 +0200 +Subject: [PATCH] gpg: Sanitize diagnostic with the original file name. + +* g10/mainproc.c (proc_plaintext): Sanitize verbose output. +-- + +This fixes a forgotten sanitation of user supplied data in a verbose +mode diagnostic. The mention CVE is about using this to inject +status-fd lines into the stderr output. Other harm good as well be +done. Note that GPGME based applications are not affected because +GPGME does not fold status output into stderr. + +CVE-id: CVE-2018-12020 +GnuPG-bug-id: 4012 +(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b) +--- + g10/mainproc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/g10/mainproc.c b/g10/mainproc.c +index 33a654b34..ffa7ef6d8 100644 +--- a/g10/mainproc.c ++++ b/g10/mainproc.c +@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt ) + if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) + log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); + else if( opt.verbose ) +- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name); ++ { ++ char *tmp = make_printable_string (pt->name, pt->namelen, 0); ++ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); ++ xfree (tmp); ++ } + free_md_filter_context( &c->mfx ); + c->mfx.md = md_open( 0, 0); + /* fixme: we may need to push the textfilter if we have sigclass 1 +-- +2.17.1 + diff -Nru gnupg-1.4.20/debian/patches/not-cve-34c649b3-gpg1.diff gnupg-1.4.20/debian/patches/not-cve-34c649b3-gpg1.diff --- gnupg-1.4.20/debian/patches/not-cve-34c649b3-gpg1.diff 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.20/debian/patches/not-cve-34c649b3-gpg1.diff 2022-06-30 15:15:51.000000000 +0000 @@ -0,0 +1,25 @@ +Index: gnupg-1.4.20/g10/status.c +=================================================================== +--- gnupg-1.4.20.orig/g10/status.c ++++ gnupg-1.4.20/g10/status.c +@@ -305,17 +305,14 @@ write_status_text_and_buffer ( int no, c + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n-- ) { ++ for (esc=0, s=buffer, n=len; n; s++, n-- ) { + if ( *s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; +- if ( wrap && ++count > wrap ) { ++ if ( wrap && ++count > wrap ) + dowrap=1; ++ if (esc || dowrap) + break; +- } +- } +- if (esc) { +- s--; n++; + } + if (s != buffer) + fwrite (buffer, s-buffer, 1, statusfp ); diff -Nru gnupg-1.4.20/debian/patches/series gnupg-1.4.20/debian/patches/series --- gnupg-1.4.20/debian/patches/series 2016-02-09 19:31:14.000000000 +0000 +++ gnupg-1.4.20/debian/patches/series 2022-06-30 15:15:51.000000000 +0000 @@ -2,3 +2,12 @@ disable_mlock_test.patch use_agent_default.patch lp1541925.patch +CVE-2016-6313-1.patch +CVE-2016-6313-2.patch +CVE-2018-12020.patch +CVE-2017-7526-1.patch +CVE-2017-7526-2.patch +CVE-2017-7526-3.patch +CVE-2017-7526-4.patch +CVE-2017-7526-5.patch +not-cve-34c649b3-gpg1.diff