Bug 1923210 (CVE-2021-3345)

Summary: CVE-2021-3345 libgcrypt: Heap buffer overflow in the block buffer management code
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: cfergeau, crypto-team, elima, erik-fedora, fidencio, jjelen, kaycoth, marcandre.lureau, rh-spice-bugs, rjones, tm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libgcrypt 1.9.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libgcrypt. A heap-based buffer overflow in the block buffer management code may lead to memory corruption before any verification is made or signature is validated. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-01 20:42:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1923213, 1923267    
Bug Blocks: 1923214    

Description Pedro Sampaio 2021-02-01 15:08:57 UTC 
A flaw was found in glibcrypt 1.9.0. A heap based buffer overflow in the block buffer management code may lead to memory corruption before any verification is made or signature is validated.

Upstream patch:

https://dev.gnupg.org/rC512c0c75276949f13b6373b5c04f7065af750b08

References:

https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
https://twitter.com/filosottile/status/1355124205080240131?s=21
Comment 1 Pedro Sampaio 2021-02-01 15:09:40 UTC 
Created mingw-libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1923213]
Comment 2 lnacshon 2021-02-01 16:11:58 UTC 
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1923267]
Comment 3 Todd Cullum 2021-02-01 20:12:50 UTC 
Statement:

No Red Hat products are affected by this flaw, as the vulnerable version of libgcrypt (1.9.0) has not been shipped in any products.
Comment 4 Todd Cullum 2021-02-01 21:10:31 UTC 
External References:

https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
Comment 5 Todd Cullum 2021-02-01 21:50:42 UTC 
Flaw technical summary:

The _gcry_md_block_write() function in file cipher/hash-common.c is used for hashing. Specifically, it is used to write a chunk of data to the transform function of a hash algorithm[1]. libgcrypt has a partial mitigation to protect against timing side-channel attacks by sometimes writing (via call to gcry_md_write()) after the context is finalized. In this case, it is possible for hd->count to be greater than the blocksize, resulting in an underflow in calculation blocksize - hd->count, and finally leading to a heap-buffer-overflow -> out-of-bounds write of payload data supplied by an attacker in the subsequent call to buf_cpy(). 

The upstream patch inserts a check for if(hd->count > blocksize) and sets hd->count to 0 in order to prevent this flaw.

Note that Cryptographer Filipo Valsorda expresses some concern about the patch on [2].

1. https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/hash-common.c;512c0c75276949f13b6373b5c04f7065af750b08$113
2. https://twitter.com/FiloSottile/status/1355134373415280644