From 451ab01db01e711c1e916132e65a5ac90e5e84106e00bb3c126f5faeae32dca8 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 9 Jun 2021 15:24:44 +0000 Subject: [PATCH] Accepting request 898784 from home:polslinux:branches:security:tls - GNU Nettle 3.7.3: * Fix crash for zero input to rsa_sec_decrypt and rsa_decrypt_tr. Potential denial of service vector. * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return failure for out of range inputs, instead of either crashing, or silently reducing input modulo n. Potential denial of service vector. * Ensure that rsa_decrypt returns failure for out of range inputs, instead of silently reducing input modulo n. * Ensure that rsa_sec_decrypt returns failure if the message size is too large for the given key. Unlike the other bugs, this would typically be triggered by invalid local configuration, rather than by processing untrusted remote data. OBS-URL: https://build.opensuse.org/request/show/898784 OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=21 --- libnettle.changes | 18 ++++++++++++++++++ libnettle.spec | 10 +++++----- nettle-3.7.2.tar.gz | 3 --- nettle-3.7.2.tar.gz.sig | Bin 374 -> 0 bytes nettle-3.7.3.tar.gz | 3 +++ nettle-3.7.3.tar.gz.sig | Bin 0 -> 374 bytes 6 files changed, 26 insertions(+), 8 deletions(-) delete mode 100644 nettle-3.7.2.tar.gz delete mode 100644 nettle-3.7.2.tar.gz.sig create mode 100644 nettle-3.7.3.tar.gz create mode 100644 nettle-3.7.3.tar.gz.sig diff --git a/libnettle.changes b/libnettle.changes index 2aa3160..abd159c 100644 --- a/libnettle.changes +++ b/libnettle.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Wed Jun 9 10:57:22 UTC 2021 - Paolo Stivanin + +- GNU Nettle 3.7.3: + * Fix crash for zero input to rsa_sec_decrypt and + rsa_decrypt_tr. Potential denial of service vector. + * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return + failure for out of range inputs, instead of either crashing, + or silently reducing input modulo n. Potential denial of + service vector. + * Ensure that rsa_decrypt returns failure for out of range + inputs, instead of silently reducing input modulo n. + * Ensure that rsa_sec_decrypt returns failure if the message + size is too large for the given key. Unlike the other bugs, + this would typically be triggered by invalid local + configuration, rather than by processing untrusted remote + data. + ------------------------------------------------------------------- Sun Mar 21 10:17:35 UTC 2021 - Andreas Stieger diff --git a/libnettle.spec b/libnettle.spec index bcb7b49..98a933b 100644 --- a/libnettle.spec +++ b/libnettle.spec @@ -19,14 +19,14 @@ %define soname 8 %define hogweed_soname 6 Name: libnettle -Version: 3.7.2 +Version: 3.7.3 Release: 0 Summary: Cryptographic Library -License: LGPL-2.1-or-later AND GPL-2.0-or-later +License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Development/Libraries/C and C++ URL: https://www.lysator.liu.se/~nisse/nettle/ -Source0: https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz -Source1: https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz.sig +Source0: https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz +Source1: https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz.sig Source2: %{name}.keyring Source3: baselibs.conf Source4: %{name}-rpmlintrc @@ -79,7 +79,7 @@ Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. %package -n nettle Summary: Cryptographic Tools -License: LGPL-2.1-or-later AND GPL-2.0-or-later +License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Productivity/Security %description -n nettle diff --git a/nettle-3.7.2.tar.gz b/nettle-3.7.2.tar.gz deleted file mode 100644 index c6344b5..0000000 --- a/nettle-3.7.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162 -size 2382309 diff --git a/nettle-3.7.2.tar.gz.sig b/nettle-3.7.2.tar.gz.sig deleted file mode 100644 index cfe89c479203c002b54a102635554f5b8c38fdb452e95f5d930d290fad06c3d6..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 374 zcmV-+0g3*J0doWZ0SW*e79j*QJTLJ3?q0&}zVn&$S)ceQ#&Vbi0$^7Png9w35c64| z_$bD5m~*cQ|5XHI0#O?~tE|2h+yha#+%1227ot!}r;#ft!3sfQ#9 zR>g#?e^VZng@w`#-1#vJV4VR2YZC-H7{6aKlj~&SfCdZgkP8P4eT3Ahl~TOp&;rCQ z#wG73S&1_6Cm`qfM@8Ay(0{c*AEKU9vXoGk|Ct4_b4DiAR@FR&LK|B2&a~o3qMruu z;8@A7I+l<#tUpamlU~rC#%qs-j~FkBKZFsQ&9S5hS#pkY25py6)$4R(gRgf2>dbWe zj}lATS@5}oSE-zBkP#}!xvlYJ=o}Il7=m^C%|L{*nPzsr{jcyWbXvxBKm9pc!l{EK zh_P1-F;qs%mHU`480&?wHDdeEo%koBQuep<^fd~k{^wFda~Pa!t30_*3I&+4#HQUj UN6_-%5Z36+ptN$%>2@jUx7<>-$N&HU diff --git a/nettle-3.7.3.tar.gz b/nettle-3.7.3.tar.gz new file mode 100644 index 0000000..341af74 --- /dev/null +++ b/nettle-3.7.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:661f5eb03f048a3b924c3a8ad2515d4068e40f67e774e8a26827658007e3bcf0 +size 2383985 diff --git a/nettle-3.7.3.tar.gz.sig b/nettle-3.7.3.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..e73fe56fd9e271a9942b0b15361d5649362b29656b271533ee0b1a5f94492eb3 GIT binary patch literal 374 zcmV-+0g3*J0doWZ0SW*e79j*QJTLJ3?q0&}zVn&$S)ceQ#&Vbi0${x@)c^_!5c64| z_$bD5n9R!x0Gay17rrJ{X%bT@If2V}rLrH)X#LWpT_T<=aFPsIdTUm&i-xPG?=3B? zI;E-U*`Mu;9NLAwAVNxrX-Bc*M%4gc{(%xtY1*mn-1HQ9PHXnd))w$)#+shLwxFuz zE`EQ}=gza7iP8KnnrV(v(YQ%?e2(BTSG1~0p2_23jke?kjOWD_RC7Q0)R_|onptw`9AvEy3=>_it-^qC7Zeuh#X->u!|^ZRSIiD96_II&YovQ8 z96c~n?6qde9$+G^dwtJ2;2U|y(OHmfJ0>mkp>y>_uatUf_U}9G^MKc3oz7|@bx51f U^DZ(~&fkXo5{lKo(hY`2jk)!_IsgCw literal 0 HcmV?d00001