From 8b274fb891015ad14e631103cae76928d61cf68a6bba6ad37a6c9c840321378a Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Wed, 4 Oct 2017 12:14:40 +0000 Subject: [PATCH] Accepting request 531133 from home:dmolkentin:branches:devel:libraries:c_c++ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update to 1.10.17 - Address a side channel affecting modular exponentiation. An attacker capable of a local or cross-VM cache analysis attack may be able to recover bits of secret exponents as used in RSA, DH, etc. CVE-2017-14737 Workaround a miscompilation bug in GCC 7 on x86-32 affecting GOST-34.11 hash function. (GH #1192 #1148 #882, bsc#1060433) - Add SecureVector::data() function which returns the start of the buffer. This makes it slightly simpler to support both 1.10 and 2.x APIs in the same codebase. When compiled by a C++11 (or later) compiler, a template typedef of SecureVector, secure_vector, is added. In 2.x this class is a std::vector with a custom allocator, so has a somewhat different interface than SecureVector in 1.10. But this makes it slightly simpler to support both 1.10 and 2.x APIs in the same codebase. - Fix a bug that prevented configure.py from running under Python3 - Botan 1.10.x does not support the OpenSSL 1.1 API. Now the build will #error if OpenSSL 1.1 is detected. Avoid –with-openssl if compiling against 1.1 or later. (GH #753) - Import patches from Debian adding basic support for building on aarch64, ppc64le, or1k, and mipsn32 platforms. * obsoletes CVE-2017-14737.patch * refreshes aarch64-support.patch * drop ppc64le-support.patch for upstream version (disables altivec support as per concerns by upstream) - Fix for CVE-2017-14737: A cryptographic cache-based side channel in the RSA implementation allows local attacker to recover information about RSA secret keys. * add CVE-2017-14737.patch OBS-URL: https://build.opensuse.org/request/show/531133 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/Botan?expand=0&rev=71 --- Botan-1.10.16.tgz | 3 --- Botan-1.10.16.tgz.asc | 11 ----------- Botan-1.10.17.tgz | 3 +++ Botan-1.10.17.tgz.asc | 11 +++++++++++ Botan.changes | 38 ++++++++++++++++++++++++++++++++++++++ Botan.spec | 6 ++---- aarch64-support.patch | 22 +++++++++++----------- ppc64le-support.patch | 18 ------------------ 8 files changed, 65 insertions(+), 47 deletions(-) delete mode 100644 Botan-1.10.16.tgz delete mode 100644 Botan-1.10.16.tgz.asc create mode 100644 Botan-1.10.17.tgz create mode 100644 Botan-1.10.17.tgz.asc delete mode 100644 ppc64le-support.patch diff --git a/Botan-1.10.16.tgz b/Botan-1.10.16.tgz deleted file mode 100644 index 924384b..0000000 --- a/Botan-1.10.16.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52 -size 2711177 diff --git a/Botan-1.10.16.tgz.asc b/Botan-1.10.16.tgz.asc deleted file mode 100644 index 95151a9..0000000 --- a/Botan-1.10.16.tgz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEYh2vZBHhhRxM+aLhYhHr8e+637wFAljkQzcACgkQYhHr8e+6 -37zwOAf9G0+rAaNoq5K9m4LZq4A1jP1B4HBsrddLu0PFCCDD8usYNTJkSUhoVTTt -BZqFa9NK8+NV/cELnRiiVw1mvMCN981tzl2rBiE6yw3CrfvuLYGX21Vc3RNIIjYs -rdH5oIvRP7C7zmRP3uuybFefsI6XXUVppjFcP6N14zDNXQxl2eoW9LZbxl0m28Dp -tMum3qSIaQemcJzOpfoXYW1A/Q3Rz8Wh3Xh1Jfjm8kUY9GOGtf9vQwO8Jb4jn9kJ -ftyoDlBWMQAgPd3DXKx/tfn7YcshbgmCW6lrqrwMIz84ESqkqZt8h/olPrJK/8tO -cdPl7ovtfSfQXWRJzAL3ehF1HeKZVg== -=EDPN ------END PGP SIGNATURE----- diff --git a/Botan-1.10.17.tgz b/Botan-1.10.17.tgz new file mode 100644 index 0000000..21f22ce --- /dev/null +++ b/Botan-1.10.17.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6847ffb64b8d2f939dccfecc17bd2c80385d08f7621e2c56d3a335118e823613 +size 2706678 diff --git a/Botan-1.10.17.tgz.asc b/Botan-1.10.17.tgz.asc new file mode 100644 index 0000000..513150f --- /dev/null +++ b/Botan-1.10.17.tgz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEYh2vZBHhhRxM+aLhYhHr8e+637wFAlnSZaQACgkQYhHr8e+6 +37xtgwf+KcmgrrfzAF6HLJJwOvMom+SnpHShvoMPqfmXwhvKELCQ8TypARF7Zbjw +e6M6Nvb/u2PhEoEX4p2vYPLxxtz+la5xXBa+UDbSO9nppFe0z6qIyR793gYWaUUT +vBonBeComOtn5vYEQ6Xj+X8JjH3xK1oKX+jNWHLKHcMUoNdRdu3dYS9Tkbvyy9DY +yjUrOE9/N8ATjSN9dEC0Xa29CMhgYxquIz6FuMspPxJHHD5/GrP+h5LfnR76vkaK +CBilE9VEYoLSTDQyHb6g0/Fz1l+YM159oe2SmFdOGBzI02EkYGBXxYc9fSpw92oH +rokKA1Q23WpaK0bzduvduBreYtIpsw== +=1D+U +-----END PGP SIGNATURE----- diff --git a/Botan.changes b/Botan.changes index 6b4d763..c3573fd 100644 --- a/Botan.changes +++ b/Botan.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Wed Oct 4 07:49:54 UTC 2017 - daniel.molkentin@suse.com + +- Update to 1.10.17 + - Address a side channel affecting modular exponentiation. An attacker + capable of a local or cross-VM cache analysis attack may be able to recover + bits of secret exponents as used in RSA, DH, etc. CVE-2017-14737 Workaround + a miscompilation bug in GCC 7 on x86-32 affecting GOST-34.11 hash function. + (GH #1192 #1148 #882, bsc#1060433) + - Add SecureVector::data() function which returns the start of the buffer. + This makes it slightly simpler to support both 1.10 and 2.x APIs in the + same codebase. When compiled by a C++11 (or later) compiler, a template + typedef of SecureVector, secure_vector, is added. In 2.x this class is a + std::vector with a custom allocator, so has a somewhat different interface + than SecureVector in 1.10. But this makes it slightly simpler to support + both 1.10 and 2.x APIs in the same codebase. + - Fix a bug that prevented configure.py from running under Python3 + - Botan 1.10.x does not support the OpenSSL 1.1 API. Now the build will + #error if OpenSSL 1.1 is detected. Avoid –with-openssl if compiling against + 1.1 or later. (GH #753) + - Import patches from Debian adding basic support for + building on aarch64, ppc64le, or1k, and mipsn32 platforms. + + * obsoletes CVE-2017-14737.patch + + * refreshes aarch64-support.patch + + * drop ppc64le-support.patch for upstream version + (disables altivec support as per concerns by upstream) + +------------------------------------------------------------------- +Tue Sep 26 13:03:46 UTC 2017 - daniel.molkentin@suse.com + +- Fix for CVE-2017-14737: A cryptographic cache-based side channel in the RSA + implementation allows local attacker to recover information about RSA secret + keys. + * add CVE-2017-14737.patch + ------------------------------------------------------------------- Thu Sep 21 09:48:17 UTC 2017 - vcizek@suse.com diff --git a/Botan.spec b/Botan.spec index 044c246..149cfda 100644 --- a/Botan.spec +++ b/Botan.spec @@ -19,7 +19,7 @@ %define version_suffix 1_10-1 %define short_version 1.10 Name: Botan -Version: 1.10.16 +Version: 1.10.17 Release: 0 Summary: A C++ Crypto Library License: BSD-2-Clause @@ -36,7 +36,6 @@ Patch4: Botan-no-buildtime.patch Patch6: Botan-fix_pkgconfig.patch Patch7: dont-set-mach-value.diff Patch8: aarch64-support.patch -Patch9: ppc64le-support.patch Patch10: no-cpuid-header.patch BuildRequires: bzip2 >= 1.0.2 BuildRequires: gcc-c++ @@ -94,8 +93,7 @@ programs that use the Botan library. %patch4 %patch6 %patch7 -p1 -%patch8 -%patch9 +%patch8 -p1 %if 0%{?suse_version} == 1110 %patch10 -p1 %endif diff --git a/aarch64-support.patch b/aarch64-support.patch index 3096dbb..6c8e555 100644 --- a/aarch64-support.patch +++ b/aarch64-support.patch @@ -1,11 +1,11 @@ -Index: src/build-data/arch/aarch64.txt -=================================================================== ---- /dev/null -+++ src/build-data/arch/aarch64.txt -@@ -0,0 +1,6 @@ -+endian little -+ -+ -+arm64 -+armv8 -+ +diff --git a/src/build-data/arch/aarch64.txt b/src/build-data/arch/aarch64.txt +index 863b000c5..9ea51c936 100644 +--- a/src/build-data/arch/aarch64.txt ++++ b/src/build-data/arch/aarch64.txt +@@ -2,5 +2,6 @@ endian little + + + arm64 # For Debian ++armv8 # For SUSE + + diff --git a/ppc64le-support.patch b/ppc64le-support.patch deleted file mode 100644 index 53e1a08..0000000 --- a/ppc64le-support.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- /dev/null 2013-11-30 20:09:56.080000808 +0100 -+++ src/build-data/arch/ppc64le.txt 2013-12-08 23:56:25.465510000 +0100 -@@ -0,0 +1,15 @@ -+endian little -+ -+family ppc -+ -+ -+powerpc64le -+ -+ -+ -+power7 -+ -+ -+ -+altivec:power7 -+