Fix CVE-2023-50979

libcryptopp-CVE-2023-50979.patch

@@ -0,0 +1,70 @@
+From 0923d82f5c3ac8cf6c99108be2ad9260f2a61f6c Mon Sep 17 00:00:00 2001
+From: CoraleSoft <82213665+Coralesoft@users.noreply.github.com>
+Date: Sun, 26 Oct 2025 17:43:39 +1300
+Subject: [PATCH] Fix timing attack in PKCS1v15 padding validation
+
+Replaces variable-time separator search with constant-time implementation to mitigate Marvin Attack (CVE-2022-4304). Uses bitwise operations to avoid data-dependent timing leaks.
+
+Fixes three timing vulnerabilities:
+  - Variable-time while loop
+  - Early return on invalid padding
+  - Variable-length memcpy operation
+
+Fixes #1247
+---
+ pkcspad.cpp | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/pkcspad.cpp b/pkcspad.cpp
+index 7f5cd2099..456e52015 100644
+--- a/pkcspad.cpp
++++ b/pkcspad.cpp
+@@ -100,20 +100,40 @@ DecodingResult PKCS_EncryptionPaddingScheme::Unpad(const byte *pkcsBlock, size_t
+ 	// Require block type 2.
+ 	invalid = (pkcsBlock[0] != 2) || invalid;
+ 
+-	// skip past the padding until we find the separator
+-	size_t i=1;
+-	while (i<pkcsBlockLen && pkcsBlock[i++]) { // null body
+-		}
++	// Constant-time separator search to mitigate timing attacks (Marvin Attack, CVE-2022-4304)
++	// Scan every byte to find first zero separator without variable-time loop termination
++	size_t separatorIndex = 0;
++	size_t foundSeparator = 0;
++
++	for (size_t j = 1; j < pkcsBlockLen; j++)
++	{
++		// Check if current byte is zero (separator)
++		size_t isZero = (pkcsBlock[j] == 0) ? 1 : 0;
++		size_t notFoundYet = 1 - foundSeparator;
++
++		// Constant-time conditional: record position using bitwise ops
++		// Equivalent to: if (isZero && notFoundYet) separatorIndex = j;
++		size_t mask = -(isZero & notFoundYet);  // all 1s if true, all 0s if false
++		separatorIndex = (separatorIndex & ~mask) | (j & mask);
++
++		// Mark that we found a separator
++		foundSeparator |= isZero;
++	}
++
++	// Position after the separator
++	size_t i = separatorIndex + 1;
+ 	CRYPTOPP_ASSERT(i==pkcsBlockLen || pkcsBlock[i-1]==0);
+ 
+ 	size_t outputLen = pkcsBlockLen - i;
+ 	invalid = (outputLen > maxOutputLen) || invalid;
++	invalid = (foundSeparator == 0) || invalid;  // No separator found
+ 
+-	if (invalid)
+-		return DecodingResult();
+-
++	// Always perform memcpy to avoid timing leak from early return
++	// This ensures both valid and invalid padding take the same code path
+ 	std::memcpy (output, pkcsBlock+i, outputLen);
+-	return DecodingResult(outputLen);
++
++	// Return error on invalid padding, otherwise return decoded length
++	return invalid ? DecodingResult() : DecodingResult(outputLen);
+ }
+ 
+ // ********************************************************

libcryptopp-CVE-2024-28285.patch

@@ -0,0 +1,26 @@
+commit 2472be710f8518caab1f62999c50970b475f162f
+Author: Angel Yankov <angel.yankov@suse.com>
+Date:   Wed May 28 16:17:10 2025 +0300
+
+    Fix ElGamal side channel issue
+
+diff --git a/pubkey.h b/pubkey.h
+index 31e00a33..b12ef458 100644
+--- a/pubkey.h
++++ b/pubkey.h
+@@ -1854,8 +1854,13 @@ public:
+ 
+ 			SecByteBlock derivedKey(encAlg.GetSymmetricKeyLength(encAlg.GetMaxSymmetricPlaintextLength(ciphertextLength)));
+ 			derivAlg.Derive(params, derivedKey, derivedKey.size(), z, q, parameters);
+-
+-			return encAlg.SymmetricDecrypt(derivedKey, ciphertext, ciphertextLength, plaintext, parameters);
++			DecodingResult res =  encAlg.SymmetricDecrypt(derivedKey, ciphertext, ciphertextLength, plaintext, parameters);
++			Element z2 = agreeAlg.AgreeWithStaticPrivateKey(params, q, true, key.GetPrivateExponent());
++			if (z == z2) {
++			} else {
++				return DecodingResult();
++			}
++			return res;
+ 		}
+ 		catch (DL_BadElement &)
+ 		{

libcryptopp.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Fri Jan  9 14:49:05 UTC 2026 - Angel Yankov <angel.yankov@suse.com>
+
+Security fix [bsc#1218217, CVE-2023-50979]
+  * Fix  side-channel leakage during decryption with PKCS#1v1.5 padding
+  * Added patch libcryptopp-CVE-2023-50979.patch
+  * https://github.com/Coralesoft/cryptopp/commit/0923d82f5c3ac8cf6c99108be2ad9260f2a61f6c
+
+-------------------------------------------------------------------
+Thu May 29 10:56:35 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Security fix [bsc#1224280, CVE-2024-28285]
+  * potential leak of secret key of ElGamal encryption via fault injection 
+  * Added patch libcryptopp-CVE-2024-28285.patch
+  * https://github.com/weidai11/cryptopp/issues/1262 
+
 -------------------------------------------------------------------
 Mon Feb  3 09:09:55 UTC 2025 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 

libcryptopp.spec

@@ -40,6 +40,10 @@ Patch1:         libcryptopp-shared.patch
 Patch2:         libcryptopp-CVE-2023-50980.patch
 # CVE-2023-50981 [bsc#1218222], issue on ModularSquareRoot function leads to potential DoS
 Patch3:         libcryptopp-CVE-2023-50981.patch
+# PATCH-FIX-SUSE: [bsc#1224280] CVE-2024-28285 potential leak of secret key of ElGamal encryption via fault injection 
+Patch4:		libcryptopp-CVE-2024-28285.patch
+# PATCH-FIX-UPSTREAM: [bsc#1218217,  CVE-2023-50979] side-channel leakage during decryption with PKCS#1v1.5 padding  (marvin )
+Patch5:		libcryptopp-CVE-2023-50979.patch
 BuildRequires:  dos2unix
 BuildRequires:  gcc-c++
 BuildRequires:  pkgconfig