From ee345060262883408f6c24e48c9cab5e9a858907 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Mon, 30 Sep 2024 01:52:46 +0800
Subject: [PATCH] Fix CVE-2024-50382

---
 backport-CVE-2024-50382.patch | 64 +++++++++++++++++++++++++++++++++++
 botan2.spec                   |  6 +++-
 2 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-50382.patch

diff --git a/backport-CVE-2024-50382.patch b/backport-CVE-2024-50382.patch
new file mode 100644
index 0000000..458f8ac
--- /dev/null
+++ b/backport-CVE-2024-50382.patch
@@ -0,0 +1,64 @@
+From 53b0cfde580e86b03d0d27a488b6c134f662e957 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack@randombit.net>
+Date: Sat, 19 Oct 2024 07:43:18 -0400
+Subject: [PATCH] Add more value barriers to avoid compiler induced side
+ channels
+
+The paper https://arxiv.org/pdf/2410.13489 claims that on specific
+architectures Clang and GCC may introduce jumps here. The donna128
+issues only affect 32-bit processors, which explains why we would not
+see it in the x86-64 valgrind runs.
+
+The GHASH leak would seem to be generic but the authors only observed
+it on RISC-V.
+---
+ src/lib/utils/donna128.h      | 5 +++--
+ src/lib/utils/ghash/ghash.cpp | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h
+index ff57190..1cbf060 100644
+--- a/src/lib/utils/donna128.h
++++ b/src/lib/utils/donna128.h
+@@ -8,6 +8,7 @@
+ #ifndef BOTAN_CURVE25519_DONNA128_H_
+ #define BOTAN_CURVE25519_DONNA128_H_
+ 
++#include <botan/internal/ct_utils.h>
+ #include <botan/mul128.h>
+ 
+ namespace Botan {
+@@ -61,7 +62,7 @@ class donna128 final
+          l += x.l;
+          h += x.h;
+ 
+-         const uint64_t carry = (l < x.l);
++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x.l).if_set_return(1);
+          h += carry;
+          return *this;
+          }
+@@ -69,7 +70,7 @@ class donna128 final
+       donna128& operator+=(uint64_t x)
+          {
+          l += x;
+-         const uint64_t carry = (l < x);
++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x).if_set_return(1);
+          h += carry;
+          return *this;
+          }
+diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp
+index e24f5e0..8f0afa7 100644
+--- a/src/lib/utils/ghash/ghash.cpp
++++ b/src/lib/utils/ghash/ghash.cpp
+@@ -139,7 +139,7 @@ void GHASH::key_schedule(const uint8_t key[], size_t length)
+          m_HM[4*j+2*i+1] = H1;
+ 
+          // GCM's bit ops are reversed so we carry out of the bottom
+-         const uint64_t carry = R * (H1 & 1);
++         const uint64_t carry = CT::Mask<uint64_t>::expand(H1 & 1).if_set_return(R);
+          H1 = (H1 >> 1) | (H0 << 63);
+          H0 = (H0 >> 1) ^ carry;
+          }
+-- 
+2.33.0
+
diff --git a/botan2.spec b/botan2.spec
index c63b46c..dc3377d 100644
--- a/botan2.spec
+++ b/botan2.spec
@@ -2,7 +2,7 @@
 
 Name:           botan2
 Version:        2.19.3
-Release:        3
+Release:        4
 Summary:        Crypto and TLS for C++11
 
 License:        BSD
@@ -11,6 +11,7 @@ Source0:        %{url}/releases/Botan-%{version}.tar.xz
 
 Patch01:        Backport-CVE-2024-34703-When-decoding-an-arbi.patch
 Patch02:        backport-CVE-2024-39312.patch
+Patch03:        backport-CVE-2024-50382.patch
 
 BuildRequires:  gcc-c++ python3 python3-devel python3-sphinx python-docutils
 BuildRequires:  bzip2-devel zlib-devel make
@@ -127,6 +128,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./botan-test
 
 
 %changelog
+* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 2.19.3-4
+- Fix CVE-2024-50382
+
 * Wed Jul 10 2024 liweigang <liweiganga@uniontech.com> - 2.19.3-3
 - fix CVE-2024-39312
 - fix CVE-2024-34702