From b8ea0db3aebf6ec9b1f3720759897d97bc2fcd48 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 14 Jun 2018 16:26:57 -0400 Subject: gnu: OpenSSL 1.0.2: Fix CVE-2018-{0495,0732}. * gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch, gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/tls.scm (openssl)[replacement]: New field. (openssl/fixed): New variable. --- gnu/local.mk | 2 ++ 1 file changed, 2 insertions(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 2856186595..be3b2e31dd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -975,6 +975,8 @@ dist_patch_DATA = \ %D%/packages/patches/openscenegraph-ffmpeg3.patch \ %D%/packages/patches/opensmtpd-fix-crash.patch \ %D%/packages/patches/openssl-runpath.patch \ + %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ + %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ -- cgit v1.2.3 From 9f162c0ab42d8adecc1e23375ce8cb8090714399 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 14 Jun 2018 16:30:57 -0400 Subject: gnu: OpenSSL 1.1.0: Fix CVE-2018-{0495,0732}. * gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch, gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/tls.scm (openssl-next)[source]: Use them. --- gnu/local.mk | 2 + .../patches/openssl-1.1.0-CVE-2018-0495.patch | 152 +++++++++++++++++++++ .../patches/openssl-1.1.0-CVE-2018-0732.patch | 50 +++++++ gnu/packages/tls.scm | 4 +- 4 files changed, 207 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index be3b2e31dd..6ce446d91a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -977,6 +977,8 @@ dist_patch_DATA = \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ + %D%/packages/patches/openssl-1.1.0-CVE-2018-0495.patch \ + %D%/packages/patches/openssl-1.1.0-CVE-2018-0732.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch new file mode 100644 index 0000000000..15dedbcbd0 --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch @@ -0,0 +1,152 @@ +Fix CVE-2018-0495: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 +https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a + +From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz +--- + CHANGES | 4 +++ + crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++----- + 2 files changed, 67 insertions(+), 7 deletions(-) + +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 72e2f0f28b..449be0e92a 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + EC_KEY *eckey) + { + int ok = 0, i; +- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; ++ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; ++ BIGNUM *blindm = NULL; + const BIGNUM *order, *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_secure_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, ++ BN_RAND_BOTTOM_ANY)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to +@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + ECDSA_SIG_free(ret); + ret = NULL; + } ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- BN_clear_free(m); +- BN_clear_free(tmp); + BN_clear_free(kinv); + return ret; + } +-- +2.17.1 + diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch new file mode 100644 index 0000000000..dfea6e7d06 --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch @@ -0,0 +1,50 @@ +Fix CVE-2018-0732: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732 + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4 + +From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 +From: Guido Vranken +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index fce9ff47f3..58003d7087 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -78,10 +78,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.17.1 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 69edd32582..c14feb2983 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -420,7 +420,9 @@ required structures.") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set:letter) "/" name "-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch" + "openssl-1.1.0-CVE-2018-0495.patch" + "openssl-1.1.0-CVE-2018-0732.patch")) (sha256 (base32 "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq")))) -- cgit v1.2.3 From bc19a68c5c4063791fddbfb7fc8ff3971208e965 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 18 Jun 2018 12:28:13 -0400 Subject: gnu: QEMU: Fix CVE-2018-11806. * gnu/packages/patches/qemu-CVE-2018-11806.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/virtualization.scm (qemu)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/qemu-CVE-2018-11806.patch | 105 +++++++++++++++++++++++++ gnu/packages/virtualization.scm | 1 + 3 files changed, 107 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2018-11806.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 6ce446d91a..bf79b8f3c4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1073,6 +1073,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ + %D%/packages/patches/qemu-CVE-2018-11806.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch b/gnu/packages/patches/qemu-CVE-2018-11806.patch new file mode 100644 index 0000000000..f021dfa747 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2018-11806.patch @@ -0,0 +1,105 @@ +Fix CVE-2018-11806: + +https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c + +From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 5 Jun 2018 23:38:35 +0530 +Subject: [PATCH] slirp: correct size computation while concatenating mbuf + +While reassembling incoming fragmented datagrams, 'm_cat' routine +extends the 'mbuf' buffer, if it has insufficient room. It computes +a wrong buffer size, which leads to overwriting adjacent heap buffer +area. Correct this size computation in m_cat. + +Reported-by: ZDI Disclosures +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +--- + slirp/mbuf.c | 11 +++++------ + slirp/mbuf.h | 8 +++----- + 2 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/slirp/mbuf.c b/slirp/mbuf.c +index 5ff24559fd..18cbf759a7 100644 +--- a/slirp/mbuf.c ++++ b/slirp/mbuf.c +@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + * If there's no room, realloc + */ + if (M_FREEROOM(m) < n->m_len) +- m_inc(m,m->m_size+MINCSIZE); ++ m_inc(m, m->m_len + n->m_len); + + memcpy(m->m_data+m->m_len, n->m_data, n->m_len); + m->m_len += n->m_len; +@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + } + + +-/* make m size bytes large */ ++/* make m 'size' bytes large from m_data */ + void + m_inc(struct mbuf *m, int size) + { +@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size) + + if (m->m_flags & M_EXT) { + datasize = m->m_data - m->m_ext; +- m->m_ext = g_realloc(m->m_ext, size); ++ m->m_ext = g_realloc(m->m_ext, size + datasize); + m->m_data = m->m_ext + datasize; + } else { + char *dat; + datasize = m->m_data - m->m_dat; +- dat = g_malloc(size); ++ dat = g_malloc(size + datasize); + memcpy(dat, m->m_dat, m->m_size); + + m->m_ext = dat; +@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size) + m->m_flags |= M_EXT; + } + +- m->m_size = size; +- ++ m->m_size = size + datasize; + } + + +diff --git a/slirp/mbuf.h b/slirp/mbuf.h +index 893601ff9d..33b84485d6 100644 +--- a/slirp/mbuf.h ++++ b/slirp/mbuf.h +@@ -33,8 +33,6 @@ + #ifndef MBUF_H + #define MBUF_H + +-#define MINCSIZE 4096 /* Amount to increase mbuf if too small */ +- + /* + * Macros for type conversion + * mtod(m,t) - convert mbuf pointer to data pointer of correct type +@@ -72,11 +70,11 @@ struct mbuf { + struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ + int m_flags; /* Misc flags */ + +- int m_size; /* Size of data */ ++ int m_size; /* Size of mbuf, from m_dat or m_ext */ + struct socket *m_so; + +- caddr_t m_data; /* Location of data */ +- int m_len; /* Amount of data in this mbuf */ ++ caddr_t m_data; /* Current location of data */ ++ int m_len; /* Amount of data in this mbuf, from m_data */ + + Slirp *slirp; + bool resolution_requested; +-- +2.17.1 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 61f0245289..b82dcb4c80 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -98,6 +98,7 @@ (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2018-11806.patch")) (sha256 (base32 "1z66spkm1prvhbq7h5mfnp0i6mmamsb938fqmdfvyrgzc7rh34z6")))) -- cgit v1.2.3