From ec21b227cdd2508717f7c9d50b7fd6046a7fc1b0 Mon Sep 17 00:00:00 2001 From: Marta Rybczynska Date: Mon, 6 Dec 2021 08:15:43 +0100 Subject: libgcrypt: solve CVE-2021-33560 and CVE-2021-40528 This change fixes patches for two issues reported in a research paper [1]: a side channel attack (*) and a cross-configuration attack (**). In this commit we add a fix for (*) that wasn't marked as a CVE initially upstream. A fix of (**) previosly available in OE backports is in fact fixing CVE-2021-40528, not CVE-2021-33560 as marked in the commit message. We commit the accual fix for CVE-2021-33560 and rename the existing fix with the correct CVE-2021-40528. For details of the mismatch and the timeline see [2] (fix of the documentation) and [3] (the related ticket upstream). [1] https://eprint.iacr.org/2021/923.pdf [2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13 [3] https://dev.gnupg.org/T5328#149606 (From OE-Core rev: 0ce5c68933b52d2cfe9eea967d24d57ac82250c3) Signed-off-by: Marta Rybczynska Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 1 + 1 file changed, 1 insertion(+) (limited to 'meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb') diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 174b087b24..8045bab9ed 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb @@ -29,6 +29,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ file://determinism.patch \ file://CVE-2021-33560.patch \ + file://CVE-2021-40528.patch \ " SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" -- cgit v1.2.3-54-g00ecf