code.ossystems Code Review - openembedded-core.git/commit

author	Marta Rybczynska <rybczynska@gmail.com>
	Mon, 6 Dec 2021 07:15:43 +0000 (08:15 +0100)
committer	Steve Sakoman <steve@sakoman.com>
	Fri, 10 Dec 2021 15:43:04 +0000 (05:43 -1000)
commit	0ce5c68933b52d2cfe9eea967d24d57ac82250c3
tree	e4d2767b8104fdefafe2139dd0307acb7af71dc1	tree \| snapshot
parent	15ccac9307a8a3a69ea7e9e611688dbb63df32aa	commit \| diff

libgcrypt: solve CVE-2021-33560 and CVE-2021-40528

This change fixes patches for two issues reported in a research
paper [1]: a side channel attack (*) and a cross-configuration
attack (**).

In this commit we add a fix for (*) that wasn't marked as a CVE
initially upstream. A fix of (**) previosly available in OE
backports is in fact fixing CVE-2021-40528, not CVE-2021-33560
as marked in the commit message.

We commit the accual fix for CVE-2021-33560 and rename the
existing fix with the correct CVE-2021-40528.

For details of the mismatch and the timeline see [2] (fix of the
documentation) and [3] (the related ticket upstream).

[1] https://eprint.iacr.org/2021/923.pdf
[2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13
[3] https://dev.gnupg.org/T5328#149606

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch		diff \| blob \| history
meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch	[new file with mode: 0644]	blob
meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb		diff \| blob \| history