diff --git a/CVE-2023-36328.patch b/CVE-2023-36328.patch new file mode 100644 index 0000000..00f2215 --- /dev/null +++ b/CVE-2023-36328.patch @@ -0,0 +1,106 @@ +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden +Date: Tue, 9 May 2023 17:17:12 +0200 +Subject: [PATCH] Fix possible integer overflow + +[fsumsal] Slightly altered to make it work with libtommath-1.1.0 + +--- + bn_mp_2expt.c | 4 ++++ + bn_mp_grow.c | 4 ++++ + bn_mp_init_size.c | 5 +++++ + bn_mp_mul_2d.c | 4 ++++ + bn_s_mp_mul_digs.c | 4 ++++ + bn_s_mp_mul_high_digs.c | 4 ++++ + 8 files changed, 33 insertions(+) + +diff --git a/bn_mp_2expt.c b/bn_mp_2expt.c +index 0ae3df1bf..23de0c3c5 100644 +--- a/bn_mp_2expt.c ++++ b/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { + int res; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* zero a as per default */ + mp_zero(a); + +diff --git a/bn_mp_grow.c b/bn_mp_grow.c +index 9e904c547..2b1682651 100644 +--- a/bn_mp_grow.c ++++ b/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) + int i; + mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + /* if the alloc size is smaller alloc more ram */ + if (a->alloc < size) { + /* ensure there are always at least MP_PREC digits extra on top */ +diff --git a/bn_mp_init_size.c b/bn_mp_init_size.c +index d62268721..99573833f 100644 +--- a/bn_mp_init_size.c ++++ b/bn_mp_init_size.c +@@ -6,6 +6,10 @@ + { + int x; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + /* pad size so there are always extra digits */ + size += (MP_PREC * 2) - (size % MP_PREC); + +diff --git a/bn_mp_mul_2d.c b/bn_mp_mul_2d.c +index 87354de20..bfeaf2eb2 100644 +--- a/bn_mp_mul_2d.c ++++ b/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) + mp_digit d; + int res; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* copy */ + if (a != c) { + if ((res = mp_copy(a, c)) != MP_OKAY) { +diff --git a/bn_s_mp_mul_digs.c b/bn_s_mp_mul_digs.c +index 64509d4cb..3682b4980 100644 +--- a/bn_s_mp_mul_digs.c ++++ b/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if ((digs < (int)MP_WARRAY) && + (MIN(a->used, b->used) < +diff --git a/bn_s_mp_mul_high_digs.c b/bn_s_mp_mul_high_digs.c +index 2bb2a5098..c9dd355f8 100644 +--- a/bn_s_mp_mul_high_digs.c ++++ b/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + #ifdef BN_FAST_S_MP_MUL_HIGH_DIGS_C + if (((a->used + b->used + 1) < (int)MP_WARRAY) diff --git a/libtommath.spec b/libtommath.spec index 67580b0..a09f060 100644 --- a/libtommath.spec +++ b/libtommath.spec @@ -7,6 +7,8 @@ URL: http://www.libtom.net/ Source0: https://github.com/libtom/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch: CVE-2023-36328.patch + BuildRequires: ghostscript BuildRequires: libtiff-tools BuildRequires: libtool @@ -44,7 +46,7 @@ Obsoletes: %{name}-doc < 0.42-1 The %{name}-doc package contains PDF documentation for using %{name}. %prep -%setup -q +%autosetup -p1 # Fix permissions on installed library sed -i -e 's/644 $(LIBNAME)/755 $(LIBNAME)/g' makefile.shared # Fix pkgconfig path