packages/botan2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!5 [sync] PR-3: fix CVE-2024-34703

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot
This commit is contained in:
openeuler-ci-bot 2024-07-09 08:17:33 +00:00 committed by Gitee
commit 1fb8bb88b6
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Backport-CVE-2024-34703-When-decoding-an-arbi.patch Normal file
View File

@ -0,0 +1,35 @@
From 94e9154c143aa5264da6254a6a1be5bc66ee2b5a Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Tue, 20 Feb 2024 06:32:57 -0500
Subject: [PATCH] When decoding an arbitrary elliptic curve, set an upper bound
on length
Otherwise it's trivial to send a very large prime, which can take a
significant amount of computation to check.
Reported by Bing Shi
---
src/lib/pubkey/ec_group/ec_group.cpp | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/lib/pubkey/ec_group/ec_group.cpp b/src/lib/pubkey/ec_group/ec_group.cpp
index bb60bac..214751b 100644
--- a/src/lib/pubkey/ec_group/ec_group.cpp
+++ b/src/lib/pubkey/ec_group/ec_group.cpp
@@ -334,8 +334,11 @@ std::shared_ptr<EC_Group_Data> EC_Group::BER_decode_EC_group(const uint8_t bits[
.end_cons()
.verify_end();
- if(p.bits() < 64 || p.is_negative() || !is_bailie_psw_probable_prime(p))
- throw Decoding_Error("Invalid ECC p parameter");
+ if(p.bits() < 112 || p.bits() > 1024)
+ throw Decoding_Error("ECC p parameter is invalid size");
+
+ if(p.is_negative() || !is_bailie_psw_probable_prime(p))
+ throw Decoding_Error("ECC p parameter is not a prime");
if(a.is_negative() || a >= p)
throw Decoding_Error("Invalid ECC a parameter");
--
2.41.0

9
botan2.spec
View File

@ -2,13 +2,15 @@
Name: botan2
Version: 2.19.3
Release: 1
Release: 2
Summary: Crypto and TLS for C++11
License: BSD
URL: https://botan.randombit.net/
Source0: %{url}/releases/Botan-%{version}.tar.xz
Patch01: Backport-CVE-2024-34703-When-decoding-an-arbi.patch
BuildRequires: gcc-c++ python3 python3-devel python3-sphinx python-docutils
BuildRequires: bzip2-devel zlib-devel make
@ -52,7 +54,7 @@ This package contains the Python3 binding for %{name}.
%prep
%autosetup -n Botan-%{version}
%autosetup -n Botan-%{version} -p1
%build
@ -124,6 +126,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./botan-test
%changelog
* Tue Jul 02 2024 yinyongkang <yinyongkang@kylinos.cn> - 2.19.3-2
- fix CVE-2024-34703
* Mon Nov 28 2022 liweiganga <liweiganga@uniontech.com> - 2.19.3-1
- update to 2.19.3
- fix CVE-2022-43705