Package: gnupg / 1.4.12-7+deb7u7
Metadata
Package | Version | Patches format |
---|---|---|
gnupg | 1.4.12-7+deb7u7 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
685627_french_translation_update.patch | (download) |
po/fr.po |
4406 1526 + 2880 - 0 ! |
french translation proofread and updated |
CVE 2012 6085.patch | (download) |
g10/import.c |
23 22 + 1 - 0 ! |
fix memory and key database corruption on importing invalid keys by rejecting invalid keyblock packet types. |
CVE 2013 4242.patch | (download) |
mpi/mpi-pow.c |
15 12 + 3 - 0 ! |
mitigate a flush+reload cache attack on rsa secret exponents. X-Git-Tag: gnupg-1.4.14~5 |
CVE 2013 4402.patch | (download) |
g10/mainproc.c |
52 43 + 9 - 0 ! |
[patch 1/2] gpg: fix bug with deeply nested compressed packets. * g10/mainproc.c (MAX_NESTING_DEPTH): New. (proc_compressed): Return an error code. (check_nesting): New. (do_proc_packets): Check packet nesting depth. Handle errors from check_compressed. Signed-off-by: Werner Koch <wk@gnupg.org> |
CVE 2013 4351.patch | (download) |
g10/getkey.c |
8 7 + 1 - 0 ! |
--- |
CVE 2013 4576.patch | (download) |
cipher/dsa.c |
6 4 + 2 - 0 ! |
[patch 1/2] use blinding for the rsa secret operation. * cipher/random.c (randomize_mpi): New. * g10/gpgv.c (randomize_mpi): New stub. * cipher/rsa.c (USE_BLINDING): Define macro. (secret): Implement blinding. -- GPG 1.x has never used any protection against timing attacks on the RSA secret operation. The rationale for this has been that there was no way to mount a remote timing attack on GnuPG. With the turning up of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this assumption no longer holds true and thus we need to do do something about it. Blinding seems to be a suitable mitigation to the threat of key extraction. It does not help against distinguishing used keys, though. Note that GPG 2.x uses Libgcrypt which does blinding by default. The performance penalty is negligible: Modifying the core pubkey_sign or pubkey_decrypt function to run 100 times in a loop, the entire execution times for signing or decrypting a small message using a 4K RSA key on a Thinkpad X220 are Without blinding: 5.2s (8.9s) With blinding: 5.6s (9.3s) The numbers in parentheses give the values without the recently implemented k-ary exponentiation code. Thus for the next release the user will actually experience faster signing and decryption. A drawback of blinding is that we need random numbers even for decryption (albeit at low quality). Signed-off-by: Werner Koch <wk@gnupg.org> CVE-id: CVE-2013-4576 |
0001 gpg Avoid infinite loop in uncompressing garbled pac.patch | (download) |
g10/compress.c |
21 12 + 9 - 0 ! |
[patch] gpg: avoid infinite loop in uncompressing garbled packets. * g10/compress.c (do_uncompress): Limit the number of extra FF bytes. -- A packet like (a3 01 5b ff) leads to an infinite loop. Using --max-output won't help if it is a partial packet. This patch actually fixes a regression introduced on 1999-05-31 (c34c6769). Actually it would be sufficient to stuff just one extra 0xff byte. Given that this problem popped up only after 15 years, I feel safer to allow for a very few FF bytes. Thanks to Olivier Levillain and Florian Maury for their detailed report. |
CVE 2014 5270.patch | (download) |
mpi/mpi-pow.c |
443 443 + 0 - 0 ! |
mpi: mpi-pow improvements X-Git-Tag: gnupg-1.4.16~7 |
0001 Screen keyserver responses.patch | (download) |
g10/import.c |
61 44 + 17 - 0 ! |
[patch] screen keyserver responses. * g10/main.h: Typedef import_filter for filter callbacks. * g10/import.c (import): Add filter callbacks to param list. (import_one): Ditto. (import_secret_one): Ditto. (import_keys_internal): Ditto. (import_keys_stream): Ditto. * g10/keyserver.c (keyserver_retrieval_filter): New. (keyserver_spawn): Pass filter to import_keys_stream() -- These changes introduces import functions that apply a constraining filter to imported keys. These filters can verify the fingerprints of the keys returned before importing them into the keyring, ensuring that the keys fetched from the keyserver are in fact those selected by the user beforehand. Signed-off-by: Stefan Tomanek <tomanek@internet-sicherheit.de> Re-indention and minor changes by wk. |
0001 Make screening of keyserver result work with multi k.patch | (download) |
g10/keyserver.c |
67 45 + 22 - 0 ! |
[patch] make screening of keyserver result work with multi-key commands. * g10/keyserver.c (ks_retrieval_filter_arg_s): new. (keyserver_retrieval_filter): Use new struct and check all descriptions. (keyserver_spawn): Pass filter arg suing the new struct. -- This is a fix for commit 52303043. The old code did only work for a single key. It failed as soon as several keys are specified ("gpg --refresh-keys" or "gpg --recv-key A B C"). |
0001 Add kbnode_t for easier backporting.patch | (download) |
g10/global.h |
1 1 + 0 - 0 ! |
[patch 1/2] add kbnode_t for easier backporting. * g10/global.h (kbnode_t): New. |
0002 gpg Fix regression due to the keyserver import filte.patch | (download) |
g10/import.c |
20 10 + 10 - 0 ! |
[patch 2/2] gpg: fix regression due to the keyserver import filter. * g10/keyserver.c (keyserver_retrieval_filter): Change args. Rewrite to take subpakets in account. * g10/import.c (import_one, import_secret_one): Pass keyblock to filter. -- GnuPG-bug-id: 1680 Resolved conflicts: g10/main.h - s/import_filter/import_filter_t/g |
CVE 2014 3591.patch | (download) |
cipher/elgamal.c |
63 49 + 14 - 0 ! |
[patch 1/1] use ciphertext blinding for elgamal decryption. * cipher/elgamal.c (USE_BLINDING): New. (decrypt): Rewrite to use ciphertext blinding. -- CVE-id: CVE-2014-3591 As a countermeasure to a new side-channel attacks on sliding windows exponentiation we blind the ciphertext for Elgamal decryption. This is similar to what we are doing with RSA. Unfortunately, the performance impact of Elgamal blinding is quite noticeable: For a 3072 bit Elgamal key the decryption used to take 13ms; with the blinding it takes 24ms. This has been measured using time(1), calling gpg with a 100 byte message, and having gpg modified to run the pubkey_decrypt function 100 times and finally scale the result (using an i5-2410M CPU @ 2.30GHz TP 220). |
CVE 2015 0837.patch | (download) |
include/mpi.h |
1 1 + 0 - 0 ! |
[patch] mpi: avoid data-dependent timing variations in mpi_powm. * include/mpi.h, mpi/mpiutils.c (mpi_set_cond): New. * mpi/mpi-pow.c (SIZE_PRECOMP): Rename from SIZE_B_2I3. (mpi_powm): Access all data in the table and use mpi_set_cond. -- Access to the precomputed table was indexed by a portion of EXPO, which could be mounted by a side channel attack. This change fixes this particular data-dependent access pattern. |
CVE 2015 1606.patch | (download) |
g10/keyring.c |
27 23 + 4 - 0 ! |
[patch 1/1] gpg: prevent an invalid memory read using a garbled keyring. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet types. * g10/keydb.c (parse_keyblock_image): Ditto. -- The keyring DB code did not reject packets which don't belong into a keyring. If for example the keyblock contains a literal data packet it is expected that the processing code stops at the data packet and reads from the input stream which is referenced from the data packets. Obviously the keyring processing code does not and cannot do that. However, when exporting this messes up the IOBUF and leads to an invalid read of sizeof (int). We now skip all packets which are not allowed in a keyring. Reported-by: Hanno Bck <hanno@hboeck.de> Test data: gpg2 --no-default-keyring --keyring FILE --export >/dev/null With this unpacked data for FILE: |