diff --git a/libgcrypt-1.9.2-coverity.patch b/libgcrypt-1.9.2-coverity.patch new file mode 100644 index 0000000..6673081 --- /dev/null +++ b/libgcrypt-1.9.2-coverity.patch @@ -0,0 +1,55 @@ +commit a8d6c6c1b258548260748eefba0532fd35c8ce47 +Author: NIIBE Yutaka +Date: Thu Apr 15 16:08:24 2021 +0900 + + cipher: Fix memory leaks for EdDSA. + + * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Free the point Q. + (_gcry_ecc_eddsa_verify): Avoid memory leaks for points and MPIs. + + -- + + GnuPG-bug-id: 5385 + Co-authored-by: Jakub Jelen + Signed-off-by: NIIBE Yutaka + +diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +index 2a1a8907..8b32545a 100644 +--- a/cipher/ecc-eddsa.c ++++ b/cipher/ecc-eddsa.c +@@ -641,7 +641,10 @@ _gcry_ecc_eddsa_genkey (mpi_ec_t ec, int flags) + ec->d = _gcry_mpi_set_opaque (NULL, dbuf, dlen*8); + rc = _gcry_ecc_eddsa_compute_h_d (&hash_d, ec); + if (rc) +- goto leave; ++ { ++ point_free (&Q); ++ goto leave; ++ } + + _gcry_mpi_set_buffer (a, hash_d, b, 0); + xfree (hash_d); +@@ -991,11 +994,6 @@ _gcry_ecc_eddsa_verify (gcry_mpi_t input, mpi_ec_t ec, + if (!mpi_is_opaque (input) || !mpi_is_opaque (r_in) || !mpi_is_opaque (s_in)) + return GPG_ERR_INV_DATA; + +- point_init (&Ia); +- point_init (&Ib); +- h = mpi_new (0); +- s = mpi_new (0); +- + b = (ec->nbits+7)/8; + + if (ec->nbits == 255) +@@ -1005,6 +1003,11 @@ _gcry_ecc_eddsa_verify (gcry_mpi_t input, mpi_ec_t ec, + else + return GPG_ERR_NOT_IMPLEMENTED; + ++ point_init (&Ia); ++ point_init (&Ib); ++ h = mpi_new (0); ++ s = mpi_new (0); ++ + /* Encode and check the public key. */ + rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, NULL, NULL, 0, + &encpk, &encpklen); diff --git a/libgcrypt.spec b/libgcrypt.spec index e93314f..ed7666d 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.9.2 -Release: 2%{?dist} +Release: 3%{?dist} URL: https://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -46,6 +46,8 @@ Patch27: libgcrypt-1.8.3-md-fips-enforce.patch Patch30: libgcrypt-1.8.5-fips-module.patch # Unbreak gnupg2 build on s390x: https://dev.gnupg.org/T5356 Patch31: libgcrypt-1.9.2-s390x-ocb.patch +# Coverity reported issues https://dev.gnupg.org/T5385 +Patch32: libgcrypt-1.9.2-coverity.patch %global gcrylibdir %{_libdir} %global gcrysoname libgcrypt.so.20 @@ -95,6 +97,7 @@ applications using libgcrypt. %patch27 -p1 -b .fips-enforce %patch30 -p1 -b .fips-module %patch31 -p1 -b .s390x-ocb +%patch32 -p1 -b .coverity cp %{SOURCE4} cipher/ cp %{SOURCE5} %{SOURCE6} tests/ @@ -204,6 +207,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %license COPYING %changelog +* Thu Apr 15 2021 Jakub Jelen - 1.9.2-3 +- Fix issues reported by coverity + * Mon Mar 29 2021 Jakub Jelen - 1.9.2-2 - Fix OCB tag creation on s390x (failing gnupg2 tests)