libgcrypt: solve CVE-2021-33560 and CVE-2021-40528
This change fixes patches for two issues reported in a research paper [1]: a side channel attack (*) and a cross-configuration attack (**). In this commit we add a fix for (*) that wasn't marked as a CVE initially in the upstream. A fix of (**) available in Yocto backport is in fact fixing CVE-2021-40528, not CVE-2021-33560 as marked in the commit message. We commit the accual fix for CVE-2021-33560 and whitelist CVE-2021-40528 until we rename the patch upstream. For details of the mismatch and the timeline see [2] (fix of the documentation) and [3] (the related ticket upstream). [1] https://eprint.iacr.org/2021/923.pdf [2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13 [3] https://dev.gnupg.org/T5328#149606 Signed-off-by:Marta Rybczynska <marta.rybczynska@huawei.com>
Showing
- meta-oniro-staging/recipes-support/libgcrypt/files/CVE-2021-33560_2.patch 77 additions, 0 deletions...ng/recipes-support/libgcrypt/files/CVE-2021-33560_2.patch
- meta-oniro-staging/recipes-support/libgcrypt/libgcrypt_1.8.5.bbappend 14 additions, 0 deletions...taging/recipes-support/libgcrypt/libgcrypt_1.8.5.bbappend
Loading
Please register or sign in to comment