[pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie

NIIBE Yutaka gniibe at fsij.org
Tue Aug 29 00:57:51 UTC 2017


Hello, Guido,

Guido Günther <agx at sigxcpu.org> wrote:
> I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on
> https://dev.gnupg.org/D438 I backported what I deemed are the necessary
> patches. Does this look sane? 

I'm not GnuPG package maintainers, but one of upstream developers.
For me, it look sane.

Let me explain patches, just in case.

For GnuPG 2.0 and 2.1, it is fixed by libgcrypt.  In case of GnuPG 1.4,
it is fixed in 1.4.22.

For CVE-2017-7526, what we did is two things.

(1) Same computation

    It's by the commit:
    12029f83fd0a
    mpi: Same computation for square and multiply for mpi_pow.

(2) Exponent blinding

    It's D438.

The intention of (1) is to minimize the information to side channel(s).
The intention of (2) is to maximize the noise to side channel(s).

Either of (1) or (2) (or both) can mitigate the attack.  My own response
was (1)-only, but the authors of the paper suggested (2) is recommended.

In 1.4.22, we have both.

(2)-only makes sense.  And, it consists of three patches in GnuPG 1.4,
which is...

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch
> @@ -0,0 +1,71 @@
> +From: Marcus Brinkmann <mb at g10code.com>
> +Date: Fri, 7 Jul 2017 21:03:10 +0900
> +Subject: CVE-2017-7526: rsa: Add exponent blinding.

(a) This is a naive port from libgcrypt.

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch
> @@ -0,0 +1,53 @@
> +From: NIIBE Yutaka <gniibe at fsij.org>
> +Date: Fri, 7 Jul 2017 21:20:56 +0900
> +Subject: CVE-2017-7526: rsa: Allow different build directory.

(b) This is the fix because the patch (a) breaks building by another
    directory.

> +++ b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
> @@ -0,0 +1,46 @@
> +From: NIIBE Yutaka <gniibe at fsij.org>
> +Date: Fri, 7 Jul 2017 21:51:42 +0900
> +Subject: CVE-2017-7526: rsa: Reduce secmem pressure.

(c) This is a particular fix of GnuPG 1.4 over the patch (a).  This is
    important for GnuPG 1.4 to avoid regression.  Without this patch,
    the exponent blinding requires more "secure memory" for the crypto
    computation ("secure memory" is a small memory chunk which cannot be
    swapped out.)  In case of libgcrypt, secure memory handling is more
    robust, but for GnuPG 1.4, it might just fail.  So, I put this
    change.  With this change, it has no more memory pressure.
-- 



More information about the pkg-gnupg-maint mailing list