From 463464b16b02addc16cc6e2d4559fb0b41a9ce80 Mon Sep 17 00:00:00 2001 From: luffyluo Date: Wed, 4 Jun 2025 20:50:41 +0800 Subject: [PATCH] disabling PKCS#1 v1.5 padding (CVE-2024-2467) --- 0001-Disable-PKCS-1-v1.5-padding.patch | 79 ++++++++++++++++++++++++++ perl-Crypt-OpenSSL-RSA.spec | 9 ++- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 0001-Disable-PKCS-1-v1.5-padding.patch diff --git a/0001-Disable-PKCS-1-v1.5-padding.patch b/0001-Disable-PKCS-1-v1.5-padding.patch new file mode 100644 index 0000000..af79006 --- /dev/null +++ b/0001-Disable-PKCS-1-v1.5-padding.patch @@ -0,0 +1,79 @@ +From f986c31575f41107bfe66610cdf922d6858a36be Mon Sep 17 00:00:00 2001 +From: Timothy Legge +Date: Tue, 6 May 2025 21:54:07 -0300 +Subject: [PATCH] Disable PKCS#1 v1.5 padding + +--- + RSA.pm | 14 ++++++++++++-- + RSA.xs | 2 +- + t/rsa.t | 5 +---- + 3 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/RSA.pm b/RSA.pm +index a08d9cc..0b153b4 100644 +--- a/RSA.pm ++++ b/RSA.pm +@@ -55,6 +55,13 @@ Crypt::OpenSSL::RSA - RSA encoding and decoding, using the openSSL libraries + $signature = $rsa_priv->sign($plaintext); + print "Signed correctly\n" if ($rsa->verify($plaintext, $signature)); + ++=head1 SECURITY ++ ++Version 0.35 makes the use of PKCS#1 v1.5 padding a fatal error. It is ++very difficult to implement PKCS#1 v1.5 padding securely. If you are still ++using RSA in in general, you should be looking at alternative encryption ++algorithms. ++ + =head1 DESCRIPTION + + C provides the ability to RSA encrypt strings which are +@@ -238,8 +245,11 @@ Encrypting user data directly with RSA is insecure. + + =item use_pkcs1_padding + +-Use PKCS #1 v1.5 padding. This currently is the most widely used mode +-of padding. ++PKCS #1 v1.5 padding has been disabled as it is nearly impossible to use this ++padding method in a secure manner. It is known to be vulnerable to timing ++based side channel attacks. use_pkcs1_padding() results in a fatal error. ++ ++L + + =item use_pkcs1_oaep_padding + +diff --git a/RSA.xs b/RSA.xs +index 5f5cfae..42bee5f 100644 +--- a/RSA.xs ++++ b/RSA.xs +@@ -672,7 +672,7 @@ void + use_pkcs1_padding(p_rsa) + rsaData* p_rsa; + CODE: +- p_rsa->padding = RSA_PKCS1_PADDING; ++ croak("PKCS#1 1.5 is disabled as it is known to be vulnerable to marvin attacks."); + + void + use_pkcs1_oaep_padding(p_rsa) +diff --git a/t/rsa.t b/t/rsa.t +index d3e7f0b..e19909c 100644 +--- a/t/rsa.t ++++ b/t/rsa.t +@@ -4,7 +4,7 @@ use Test::More; + use Crypt::OpenSSL::Random; + use Crypt::OpenSSL::RSA; + +-BEGIN { plan tests => 43 + ( UNIVERSAL::can( "Crypt::OpenSSL::RSA", "use_sha512_hash" ) ? 4 * 5 : 0 ) } ++BEGIN { plan tests => 37 + ( UNIVERSAL::can( "Crypt::OpenSSL::RSA", "use_sha512_hash" ) ? 4 * 5 : 0 ) } + + sub _Test_Encrypt_And_Decrypt { + my ( $p_plaintext_length, $p_rsa, $p_check_private_encrypt ) = @_; +@@ -70,9 +70,6 @@ ok( $rsa->check_key() ); + $rsa->use_no_padding(); + _Test_Encrypt_And_Decrypt( $rsa->size(), $rsa, 1 ); + +-$rsa->use_pkcs1_padding(); +-_Test_Encrypt_And_Decrypt( $rsa->size() - 11, $rsa, 1 ); +- + $rsa->use_pkcs1_oaep_padding(); + + # private_encrypt does not work with pkcs1_oaep_padding diff --git a/perl-Crypt-OpenSSL-RSA.spec b/perl-Crypt-OpenSSL-RSA.spec index 61bcc68..4164e1c 100644 --- a/perl-Crypt-OpenSSL-RSA.spec +++ b/perl-Crypt-OpenSSL-RSA.spec @@ -1,11 +1,15 @@ Summary: Perl interface to OpenSSL for RSA Name: perl-Crypt-OpenSSL-RSA Version: 0.33 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL+ or Artistic URL: https://metacpan.org/release/Crypt-OpenSSL-RSA Source0: https://cpan.metacpan.org/authors/id/T/TO/TODDR/Crypt-OpenSSL-RSA-%{version}.tar.gz +# https://github.com/cpan-authors/Crypt-OpenSSL-RSA/issues/42 +# https://github.com/cpan-authors/Crypt-OpenSSL-RSA/commit/f986c31575f41107bfe66610cdf922d6858a36be +Patch0001: 0001-Disable-PKCS-1-v1.5-padding.patch + BuildRequires: perl(Test) perl(Test::More) BuildRequires: perl(Carp) perl(Crypt::OpenSSL::Bignum) perl(Crypt::OpenSSL::Random) perl(XSLoader) perl(base) BuildRequires: perl(strict) perl(warnings) perl(AutoLoader) @@ -42,6 +46,9 @@ make test %{_mandir}/man3/* %changelog +* Wed Jun 04 2025 Chunsheng Luo - 0.33-4 +- disabling PKCS#1 v1.5 padding (CVE-2024-2467) + * Thu Sep 26 2024 OpenCloudOS Release Engineering - 0.33-3 - Rebuilt for clarifying the packages requirement in BaseOS and AppStream -- Gitee