[Buildroot] [PATCH] package/botan: add upstream security fix for CVE-2021-40529
Peter Korsgaard
peter at korsgaard.com
Sat Sep 18 16:42:46 UTC 2021
Fixes the following security issue:
- CVE-2021-40529: The ElGamal implementation in Botan through 2.18.1, as
used in Thunderbird and other products, allows plaintext recovery because,
during interaction between two cryptographic libraries, a certain
dangerous combination of the prime defined by the receiver's public key,
the generator defined by the receiver's public key, and the sender's
ephemeral exponents can lead to a cross-configuration attack against
OpenPGP
For more details, see the upstream bug and issue writeup:
- https://github.com/randombit/botan/pull/2790
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
...d-using-short-exponents-with-ElGamal.patch | 38 +++++++++++++++++++
package/botan/botan.mk | 3 ++
2 files changed, 41 insertions(+)
create mode 100644 package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch
diff --git a/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch
new file mode 100644
index 0000000000..e2570cd5ff
--- /dev/null
+++ b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch
@@ -0,0 +1,38 @@
+From 9a23e4e3bc3966340531f2ff608fa9d33b5185a2 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack at randombit.net>
+Date: Tue, 3 Aug 2021 18:20:29 -0400
+Subject: [PATCH] Avoid using short exponents with ElGamal
+
+Some off-brand PGP implementation generates keys where p - 1 is
+smooth, as a result short exponents can leak enough information about
+k to allow decryption.
+
+Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
+[Peter: Drop tests, CVE-2021-40529]
+---
+ src/lib/pubkey/elgamal/elgamal.cpp | 8 +++-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/lib/pubkey/elgamal/elgamal.cpp b/src/lib/pubkey/elgamal/elgamal.cpp
+index b3ec6df2c..0e33c2ca5 100644
+--- a/src/lib/pubkey/elgamal/elgamal.cpp
++++ b/src/lib/pubkey/elgamal/elgamal.cpp
+@@ -113,8 +113,12 @@ ElGamal_Encryption_Operation::raw_encrypt(const uint8_t msg[], size_t msg_len,
+ if(m >= m_group.get_p())
+ throw Invalid_Argument("ElGamal encryption: Input is too large");
+
+- const size_t k_bits = m_group.exponent_bits();
+- const BigInt k(rng, k_bits);
++ /*
++ Some ElGamal implementations foolishly use prime fields where p - 1 is
++ smooth, as a result it is unsafe to use short exponents.
++ */
++ const size_t k_bits = m_group.p_bits() - 1;
++ const BigInt k(rng, k_bits, false);
+
+ const BigInt a = m_group.power_g_p(k, k_bits);
+ const BigInt b = m_group.multiply_mod_p(m, monty_execute(*m_monty_y_p, k, k_bits));
+-
+--
+2.20.1
+
diff --git a/package/botan/botan.mk b/package/botan/botan.mk
index c23aba99dd..0ac528c990 100644
--- a/package/botan/botan.mk
+++ b/package/botan/botan.mk
@@ -11,6 +11,9 @@ BOTAN_LICENSE = BSD-2-Clause
BOTAN_LICENSE_FILES = license.txt
BOTAN_CPE_ID_VENDOR = botan_project
+# 0001-Avoid-using-short-exponents-with-ElGamal.patch
+BOTAN_IGNORE_CVES += CVE-2021-40529
+
BOTAN_INSTALL_STAGING = YES
BOTAN_CONF_OPTS = \
--
2.20.1
More information about the buildroot
mailing list