[pkg-gnupg-maint] Fixing CVE-2017-7526 in for wheezy / jessie
NIIBE Yutaka
gniibe at fsij.org
Tue Aug 29 00:57:51 UTC 2017
Hello, Guido,
Guido Günther <agx at sigxcpu.org> wrote:
> I just looked into fixing CVE-2017-7526 for gnupg in wheezy. Based on
> https://dev.gnupg.org/D438 I backported what I deemed are the necessary
> patches. Does this look sane?
I'm not GnuPG package maintainers, but one of upstream developers.
For me, it look sane.
Let me explain patches, just in case.
For GnuPG 2.0 and 2.1, it is fixed by libgcrypt. In case of GnuPG 1.4,
it is fixed in 1.4.22.
For CVE-2017-7526, what we did is two things.
(1) Same computation
It's by the commit:
12029f83fd0a
mpi: Same computation for square and multiply for mpi_pow.
(2) Exponent blinding
It's D438.
The intention of (1) is to minimize the information to side channel(s).
The intention of (2) is to maximize the noise to side channel(s).
Either of (1) or (2) (or both) can mitigate the attack. My own response
was (1)-only, but the authors of the paper suggested (2) is recommended.
In 1.4.22, we have both.
(2)-only makes sense. And, it consists of three patches in GnuPG 1.4,
which is...
> +++ b/debian/patches/security/CVE-2017-7526-rsa-Add-exponent-blinding.patch
> @@ -0,0 +1,71 @@
> +From: Marcus Brinkmann <mb at g10code.com>
> +Date: Fri, 7 Jul 2017 21:03:10 +0900
> +Subject: CVE-2017-7526: rsa: Add exponent blinding.
(a) This is a naive port from libgcrypt.
> +++ b/debian/patches/security/CVE-2017-7526-rsa-Allow-different-build-directory.patch
> @@ -0,0 +1,53 @@
> +From: NIIBE Yutaka <gniibe at fsij.org>
> +Date: Fri, 7 Jul 2017 21:20:56 +0900
> +Subject: CVE-2017-7526: rsa: Allow different build directory.
(b) This is the fix because the patch (a) breaks building by another
directory.
> +++ b/debian/patches/security/CVE-2017-7526-rsa-Reduce-secmem-pressure.patch
> @@ -0,0 +1,46 @@
> +From: NIIBE Yutaka <gniibe at fsij.org>
> +Date: Fri, 7 Jul 2017 21:51:42 +0900
> +Subject: CVE-2017-7526: rsa: Reduce secmem pressure.
(c) This is a particular fix of GnuPG 1.4 over the patch (a). This is
important for GnuPG 1.4 to avoid regression. Without this patch,
the exponent blinding requires more "secure memory" for the crypto
computation ("secure memory" is a small memory chunk which cannot be
swapped out.) In case of libgcrypt, secure memory handling is more
robust, but for GnuPG 1.4, it might just fail. So, I put this
change. With this change, it has no more memory pressure.
--
More information about the pkg-gnupg-maint
mailing list