From da9a6807d6279c1bae8365c9c7c17a57b909de82 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 26 Jun 2026 15:36:17 +0200 Subject: [PATCH] Fix CVE-2026-41989: Denial of Service and buffer overflow via crafted ECDH ciphertext Resolves: RHEL-182708 --- libgcrypt-1.8.5-montgomery-zeroes.patch | 151 ++++++++++++++++++++++++ libgcrypt.spec | 3 + 2 files changed, 154 insertions(+) create mode 100644 libgcrypt-1.8.5-montgomery-zeroes.patch diff --git a/libgcrypt-1.8.5-montgomery-zeroes.patch b/libgcrypt-1.8.5-montgomery-zeroes.patch new file mode 100644 index 0000000..25db77a --- /dev/null +++ b/libgcrypt-1.8.5-montgomery-zeroes.patch @@ -0,0 +1,151 @@ +From: NIIBE Yutaka +Date: Tue, 27 Apr 2021 17:24:16 +0900 +Subject: [PATCH] ecc: Check the input length for the point. + +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length +of valid point representation. + +-- + +Backport the commit of master: + + 060c378c050e7ec6206358c681a313d6e1967dcf + +In the use case of GnuPG, ECDH decryption for anonymous recipient may +try to decrypt with different curves. When the input data of +ephemeral key does not match one of the private key, it should return +GPG_ERR_INV_OBJ. + +Signed-off-by: NIIBE Yutaka +--- + cipher/ecc-misc.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c +index 34dd6804..b89dcfa6 100644 +--- a/cipher/ecc-misc.c ++++ b/cipher/ecc-misc.c +@@ -294,6 +294,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) + { + unsigned char *rawmpi; + unsigned int rawmpilen; ++ unsigned int nbytes = (ctx->nbits+7)/8; + + if (mpi_is_opaque (pk)) + { +@@ -305,27 +306,36 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) + return GPG_ERR_INV_OBJ; + rawmpilen = (rawmpilen + 7)/8; + +- if (rawmpilen > 1 && (rawmpilen%2) && buf[0] == 0x40) ++ if (rawmpilen == nbytes + 1 ++ && (buf[0] == 0x00 || buf[0] == 0x40)) + { + rawmpilen--; + buf++; + } ++ else if (rawmpilen > nbytes) ++ return GPG_ERR_INV_OBJ; + +- rawmpi = xtrymalloc (rawmpilen? rawmpilen:1); ++ rawmpi = xtrymalloc (nbytes); + if (!rawmpi) + return gpg_err_code_from_syserror (); + + p = rawmpi + rawmpilen; + while (p > rawmpi) + *--p = *buf++; ++ ++ if (rawmpilen < nbytes) ++ memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen); + } + else + { +- unsigned int nbytes = (ctx->nbits+7)/8; +- + rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL); + if (!rawmpi) + return gpg_err_code_from_syserror (); ++ if (rawmpilen > nbytes + 1) ++ { ++ xfree (rawmpi); ++ return GPG_ERR_INV_OBJ; ++ } + /* + * It is not reliable to assume that 0x40 means the prefix. + * +-- +2.54.0 + +From bd662c090bd4a45cc830de9e42e96dd0f8e1f702 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Thu, 6 May 2021 12:35:19 +0900 +Subject: [PATCH] ecc: Fix the previous commit. + +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition. + +-- + +GnuPG-bug-id: 5423 +Signed-off-by: NIIBE Yutaka +--- + cipher/ecc-misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c +index b89dcfa6..0c387c27 100644 +--- a/cipher/ecc-misc.c ++++ b/cipher/ecc-misc.c +@@ -331,7 +331,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) + rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL); + if (!rawmpi) + return gpg_err_code_from_syserror (); +- if (rawmpilen > nbytes + 1) ++ if (rawmpilen > nbytes + BYTES_PER_MPI_LIMB) + { + xfree (rawmpi); + return GPG_ERR_INV_OBJ; +-- +2.54.0 + + +From 5ba63ec41a6e734c9ff82e20e4f84ac94c59ae27 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 10 Apr 2026 16:58:57 +0900 +Subject: [PATCH] cipher:ecc: Fix decoding a point on Montgomery curve. + +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the padding +mistake and add updating RAWMPILEN. + +-- + +Reported by Calif.io in collaboration with Claude and Anthropic +Research. + +GnuPG-bug-id: 8211 +Fixes-commit: bbe15758c893dbf546416c1a6bccdad1ab000ad7 +Suggested-by: Bronson Yen +Signed-off-by: NIIBE Yutaka +--- + cipher/ecc-misc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c +index 0c387c27..be4e2862 100644 +--- a/cipher/ecc-misc.c ++++ b/cipher/ecc-misc.c +@@ -324,7 +324,10 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) + *--p = *buf++; + + if (rawmpilen < nbytes) +- memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen); ++ { ++ memset (rawmpi + rawmpilen, 0, nbytes - rawmpilen); ++ rawmpilen = nbytes; ++ } + } + else + { +-- +2.54.0 + diff --git a/libgcrypt.spec b/libgcrypt.spec index 7c5de9f..d41acab 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -69,6 +69,8 @@ Patch38: libgcrypt-1.8.5-fips-hwfeatures.patch Patch39: libgcrypt-1.8.5-ppc-chacha20-poly1305.patch # Fix CVE-2021-33560 (elgamal blinding) Patch40: libgcrypt-1.8.5-elgamal-blinding.patch +# https://dev.gnupg.org/T8211.html +Patch41: libgcrypt-1.8.5-montgomery-zeroes.patch %define gcrylibdir %{_libdir} @@ -130,6 +132,7 @@ applications using libgcrypt. %patch38 -p1 -b .hw-fips %patch39 -p1 -b .ppc-chacha %patch40 -p1 -b .elgamal-blinding +%patch41 -p1 -b .montgomery-zeroes cp %{SOURCE4} cipher/ cp %{SOURCE5} %{SOURCE6} tests/