Bug#1100993: libeddsa-java: CVE-2020-36843

Fri Mar 21 18:36:59 GMT 2025

Control: tags -1 patch

I am uploading a fix for this as NMU.
The debdiff is attached.
-------------- next part --------------
diff -Nru libeddsa-java-0.3.0/debian/changelog libeddsa-java-0.3.0/debian/changelog

--- libeddsa-java-0.3.0/debian/changelog	2024-05-11 17:48:56.000000000 +0200
+++ libeddsa-java-0.3.0/debian/changelog	2025-03-21 19:30:49.000000000 +0100
@@ -1,3 +1,10 @@
+libeddsa-java (0.3.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2020-36843 (Closes: #1100993)
+
+ -- Bastian Germann <bage at debian.org>  Fri, 21 Mar 2025 19:30:49 +0100
+
 libeddsa-java (0.3.0-2) unstable; urgency=medium
 
   * Source-only upload to unstable
diff -Nru libeddsa-java-0.3.0/debian/patches/CVE-2020-36843.patch libeddsa-java-0.3.0/debian/patches/CVE-2020-36843.patch
--- libeddsa-java-0.3.0/debian/patches/CVE-2020-36843.patch	1970-01-01 01:00:00.000000000 +0100
+++ libeddsa-java-0.3.0/debian/patches/CVE-2020-36843.patch	2025-03-21 19:28:37.000000000 +0100
@@ -0,0 +1,47 @@
+Origin: https://github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712
+From: zzz <zzz at mail.i2p>
+Date: Tue, 12 Mar 2019 12:55:58 +0000
+Subject: Crypto: Ed25519 check for S < L as in RFC 8032
+
+Backport to https://github.com/str4d/ed25519-java
+---
+diff --git a/src/net/i2p/crypto/eddsa/EdDSAEngine.java b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+index 1f0ba6d..9a1dbf0 100644
+--- a/src/net/i2p/crypto/eddsa/EdDSAEngine.java
++++ b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+@@ -12,6 +12,7 @@
+ package net.i2p.crypto.eddsa;
+ 
+ import java.io.ByteArrayOutputStream;
++import java.math.BigInteger;
+ import java.nio.ByteBuffer;
+ import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+@@ -29,6 +30,7 @@ import java.util.Arrays;
+ import net.i2p.crypto.eddsa.math.Curve;
+ import net.i2p.crypto.eddsa.math.GroupElement;
+ import net.i2p.crypto.eddsa.math.ScalarOps;
++import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
+ import sun.security.x509.X509Key;
+ 
+ /**
+@@ -68,6 +70,7 @@ import sun.security.x509.X509Key;
+  */
+ public final class EdDSAEngine extends Signature {
+     public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
++    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
+ 
+     private MessageDigest digest;
+     private ByteArrayOutputStream baos;
+@@ -306,6 +309,11 @@ public final class EdDSAEngine extends Signature {
+         h = key.getParams().getScalarOps().reduce(h);
+ 
+         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
++        // RFC 8032
++        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
++        if (Sbigint.compareTo(ORDER) >= 0)
++            return false;
++
+         // R = SB - H(Rbar,Abar,M)A
+         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
+                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
diff -Nru libeddsa-java-0.3.0/debian/patches/series libeddsa-java-0.3.0/debian/patches/series
--- libeddsa-java-0.3.0/debian/patches/series	2024-04-27 21:00:48.000000000 +0200
+++ libeddsa-java-0.3.0/debian/patches/series	2025-03-21 19:29:27.000000000 +0100
@@ -1,2 +1,3 @@
 packaging_type.patch
 add-opens_in_test.patch
+CVE-2020-36843.patch
