Mail archive
alpine-aports

[alpine-aports] [PATCH] testing/crypto++: security fix for CVE-2015-2141

From: AmatCoder <amatcoder_at_gmail.com>
Date: Sat, 25 Jul 2015 12:02:35 +0000

---
 testing/crypto++/APKBUILD            | 14 +++++++++-----
 testing/crypto++/CVE-2015-2141.patch | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 testing/crypto++/CVE-2015-2141.patch
diff --git a/testing/crypto++/APKBUILD b/testing/crypto++/APKBUILD
index 77fa512..6632f7c 100644
--- a/testing/crypto++/APKBUILD
+++ b/testing/crypto++/APKBUILD
_at_@ -2,7 +2,7 @@
 # Maintainer: August Klein <amatcoder_at_gmail.com>
 pkgname=crypto++
 pkgver=5.6.2
-pkgrel=1
+pkgrel=2
 pkgdesc="A free C++ class library of cryptographic schemes"
 url="http://www.cryptopp.com"
 arch="all"
_at_@ -12,7 +12,8 @@ depends_dev=""
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-dev"
-source="http://downloads.sourceforge.net/cryptopp/cryptopp562.zip"
+source="http://downloads.sourceforge.net/cryptopp/cryptopp562.zip
+	CVE-2015-2141.patch"
 
 _builddir="$srcdir"
 prepare() {
_at_@ -41,6 +42,9 @@ package() {
 	cp *.h "$pkgdir"/usr/include/cryptopp || return 1
 }
 
-md5sums="7ed022585698df48e65ce9218f6c6a67  cryptopp562.zip"
-sha256sums="5cbfd2fcb4a6b3aab35902e2e0f3b59d9171fee12b3fc2b363e1801dfec53574  cryptopp562.zip"
-sha512sums="016ca7ebad1091d67ad0bc5ccb7549d96d4af6b563d9d5a612cae27b3d1a3514c41b954e319fed91c820e8c701e3aa43da186e0864bf959ce4afd1539248ebbe  cryptopp562.zip"
+md5sums="7ed022585698df48e65ce9218f6c6a67  cryptopp562.zip
+7ff9a215b9244b4f8a17c7185e27beda  CVE-2015-2141.patch"
+sha256sums="5cbfd2fcb4a6b3aab35902e2e0f3b59d9171fee12b3fc2b363e1801dfec53574  cryptopp562.zip
+611980b01fd4292bc40b929e62a0cdecf1ea87c8b4639bca7c286b83c8c948fc  CVE-2015-2141.patch"
+sha512sums="016ca7ebad1091d67ad0bc5ccb7549d96d4af6b563d9d5a612cae27b3d1a3514c41b954e319fed91c820e8c701e3aa43da186e0864bf959ce4afd1539248ebbe  cryptopp562.zip
+4407833fbfb44c3571edccd916323a97427ee3c0f37b49d5a6851a196e6913954801cb9df3b01b956e8d990904fb710a0a57918c44596e8218b4c08b1b729bf1  CVE-2015-2141.patch"
diff --git a/testing/crypto++/CVE-2015-2141.patch b/testing/crypto++/CVE-2015-2141.patch
new file mode 100644
index 0000000..32c5164
--- /dev/null
+++ b/testing/crypto++/CVE-2015-2141.patch
_at_@ -0,0 +1,32 @@
+From 9425e16437439e68c7d96abef922167d68fafaff Mon Sep 17 00:00:00 2001
+From: Jeffrey Walton <noloader_at_gmail.com>
+Date: Sat, 27 Jun 2015 17:56:01 -0400
+Subject: [PATCH] Fix for CVE-2015-2141. Thanks to Evgeny Sidorov for
+ reporting. Squaring to satisfy Jacobi requirements suggested by JPM.
+
+---
+ rw.cpp | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/rw.cpp b/rw.cpp
+index cdd9f2d..0b9318b 100644
+--- a/rw.cpp
++++ b/rw.cpp
+_at_@ -126,10 +126,16 @@ Integer InvertibleRWFunction::CalculateInverse(RandomNumberGenerator &rng, const
+ 	DoQuickSanityCheck();
+ 	ModularArithmetic modn(m_n);
+ 	Integer r, rInv;
+-	do {	// do this in a loop for people using small numbers for testing
++
++	// do this in a loop for people using small numbers for testing
++	do {
+ 		r.Randomize(rng, Integer::One(), m_n - Integer::One());
++		// Fix for CVE-2015-2141. Thanks to Evgeny Sidorov for reporting.
++		// Squaring to satisfy Jacobi requirements suggested by JPM.
++		r = modn.Square(r);
+ 		rInv = modn.MultiplicativeInverse(r);
+ 	} while (rInv.IsZero());
++
+ 	Integer re = modn.Square(r);
+ 	re = modn.Multiply(re, x);			// blind
+ 
-- 
2.4.1
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Sat Jul 25 2015 - 12:02:35 GMT