[Git][java-team/libeddsa-java][master] Import Debian changes 0.3.0-2.1

Sun Mar 23 20:59:45 GMT 2025


Pierre Gruet pushed to branch master at Debian Java Maintainers / libeddsa-java


Commits:
20184cd0 by Bastian Germann at 2025-03-23T21:59:27+01:00
Import Debian changes 0.3.0-2.1

libeddsa-java (0.3.0-2.1) unstable; urgency=medium
.
  * Non-maintainer upload.
  * Fix CVE-2020-36843 (Closes: #1100993)

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2020-36843.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+libeddsa-java (0.3.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2020-36843 (Closes: #1100993)
+
+ -- Bastian Germann <bage at debian.org>  Fri, 21 Mar 2025 19:30:49 +0100
+
 libeddsa-java (0.3.0-2) unstable; urgency=medium
 
   * Source-only upload to unstable


=====================================
debian/patches/CVE-2020-36843.patch
=====================================
@@ -0,0 +1,47 @@
+Origin: https://github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712
+From: zzz <zzz at mail.i2p>
+Date: Tue, 12 Mar 2019 12:55:58 +0000
+Subject: Crypto: Ed25519 check for S < L as in RFC 8032
+
+Backport to https://github.com/str4d/ed25519-java
+---
+diff --git a/src/net/i2p/crypto/eddsa/EdDSAEngine.java b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+index 1f0ba6d..9a1dbf0 100644
+--- a/src/net/i2p/crypto/eddsa/EdDSAEngine.java
++++ b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+@@ -12,6 +12,7 @@
+ package net.i2p.crypto.eddsa;
+ 
+ import java.io.ByteArrayOutputStream;
++import java.math.BigInteger;
+ import java.nio.ByteBuffer;
+ import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+@@ -29,6 +30,7 @@ import java.util.Arrays;
+ import net.i2p.crypto.eddsa.math.Curve;
+ import net.i2p.crypto.eddsa.math.GroupElement;
+ import net.i2p.crypto.eddsa.math.ScalarOps;
++import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
+ import sun.security.x509.X509Key;
+ 
+ /**
+@@ -68,6 +70,7 @@ import sun.security.x509.X509Key;
+  */
+ public final class EdDSAEngine extends Signature {
+     public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
++    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
+ 
+     private MessageDigest digest;
+     private ByteArrayOutputStream baos;
+@@ -306,6 +309,11 @@ public final class EdDSAEngine extends Signature {
+         h = key.getParams().getScalarOps().reduce(h);
+ 
+         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
++        // RFC 8032
++        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
++        if (Sbigint.compareTo(ORDER) >= 0)
++            return false;
++
+         // R = SB - H(Rbar,Abar,M)A
+         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
+                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 packaging_type.patch
 add-opens_in_test.patch
+CVE-2020-36843.patch



View it on GitLab: https://salsa.debian.org/java-team/libeddsa-java/-/commit/20184cd027935df4063b36dd84b8da52f25e079c

-- 
View it on GitLab: https://salsa.debian.org/java-team/libeddsa-java/-/commit/20184cd027935df4063b36dd84b8da52f25e079c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250323/fe0bd24c/attachment.htm>
