diff --git a/backport-build-Fix-broken-mlock-detection.patch b/backport-build-Fix-broken-mlock-detection.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ac52622632891d5db85e26bc63cd118a5a20061 --- /dev/null +++ b/backport-build-Fix-broken-mlock-detection.patch @@ -0,0 +1,63 @@ +From 66ff25ed4a8fd0c6897d8b18600be483c90ee436 Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin via Gcrypt-devel +Date: Wed, 16 Jun 2021 10:07:11 +0200 +Subject: [PATCH] build: Fix broken mlock detection + +* acinclude.m4 [GNUPG_CHECK_MLOCK]: Use size_t for the ptr test. +-- + +We need to be careful when casting a pointer to a `long int`: the +highest bit might be set, in which case the result is a negative number. + +In this instance, it is fatal: we now take the modulus of that negative +number with regards to the page size, and subtract it from the page +size. So what should be a number that is smaller than the page size is +now larger than the page size. + +As a consequence, we do not try to lock a 4096-byte block that is at the +page size boundary inside a `malloc()`ed block, but we try to do that +_outside_ the block. + +Which means that we are not at all detecting whether `mlock()` is +broken. + +This actually happened here, in the i686 MSYS2 build of libgcrypt. + +Let's be very careful to case the pointer to an _unsigned_ value +instead. + +Note: technically, we should cast the pointer to a `size_t`. But since +we only need the remainder modulo the page size (which is a power of +two) anyway, it does not matter whether we clip, say, a 64-bit `size_t` +to a 32-bit `unsigned long`. It does matter, though, whether we +mistakenly turn the remainder into a negative one. + +Signed-off-by: Johannes Schindelin + +- Changed to use size_t for clarity. +- Added ChangeLog entry. + +Take care: Building for Windows using MSYS is not supported, please +use gcc and cross-compile. + +Signed-off-by: Werner Koch +--- + acinclude.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/acinclude.m4 b/acinclude.m4 +index 3c8dfba..05bf88a 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -239,7 +239,7 @@ int main() + pool = malloc( 4096 + pgsize ); + if( !pool ) + return 2; +- pool += (pgsize - ((long int)pool % pgsize)); ++ pool += (pgsize - ((size_t)pool % pgsize)); + + err = mlock( pool, 4096 ); + if( !err || errno == EPERM || errno == EAGAIN) +-- +1.8.3.1 + diff --git a/backport-hwf-arm-fix-incorrect-HWCAP2-for-SHA1-and-SHA2-on-AA.patch b/backport-hwf-arm-fix-incorrect-HWCAP2-for-SHA1-and-SHA2-on-AA.patch new file mode 100644 index 0000000000000000000000000000000000000000..e0e7447c144a80e0d2f29556b5461e4362bfddbc --- /dev/null +++ b/backport-hwf-arm-fix-incorrect-HWCAP2-for-SHA1-and-SHA2-on-AA.patch @@ -0,0 +1,33 @@ +From 6b6bfd57d0a6b2b4577c084db35078cd9fadafa5 Mon Sep 17 00:00:00 2001 +From: Jussi Kivilinna +Date: Tue, 22 Dec 2020 19:54:16 +0200 +Subject: [PATCH] hwf-arm: fix incorrect HWCAP2 for SHA1 and SHA2 on AArch32 + +* src/hwf-arm.c (HWCAP2_SHA1, HWCAP2_SHA2): Change from bit indexes to +flags. +-- + +GnuPG-bug-id: 5195 +Signed-off-by: Jussi Kivilinna +--- + src/hwf-arm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/hwf-arm.c b/src/hwf-arm.c +index 1d19ea8..4118858 100644 +--- a/src/hwf-arm.c ++++ b/src/hwf-arm.c +@@ -54,8 +54,8 @@ struct feature_map_s { + + #define HWCAP2_AES 1 + #define HWCAP2_PMULL 2 +-#define HWCAP2_SHA1 3 +-#define HWCAP2_SHA2 4 ++#define HWCAP2_SHA1 4 ++#define HWCAP2_SHA2 8 + + static const struct feature_map_s arm_features[] = + { +-- +1.8.3.1 + diff --git a/libgcrypt.spec b/libgcrypt.spec index 2ed77d8350090c771ea307a16828e912e5251767..8ec250980f60538bd88eb6c328cefe2eb2684993 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -4,7 +4,7 @@ Name: libgcrypt Version: 1.8.6 -Release: 4 +Release: 5 Summary: A general-purpose cryptography library License: LGPLv2+ URL: https://www.gnupg.org/ @@ -33,6 +33,8 @@ Patch6005: CVE-2019-12904-2.patch Patch6006: CVE-2019-12904-3.patch Patch6007: CVE-2021-33560.patch Patch6008: CVE-2021-40528.patch +Patch6009: backport-hwf-arm-fix-incorrect-HWCAP2-for-SHA1-and-SHA2-on-AA.patch +Patch6010: backport-build-Fix-broken-mlock-detection.patch BuildRequires: gcc texinfo git autoconf automake libtool BuildRequires: gawk libgpg-error-devel >= 1.11 pkgconfig @@ -138,6 +140,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf %{_infodir}/gcrypt.info* %changelog +* Thu Sep 30 2021 zcfsite - 1.8.6-5 +- backport upstream patches + * Fri Sep 24 2021 zoulin - 1.8.6-4 - Type:cves - ID:NA