botan1.10: CVE-2017-14737: A cryptographic cache-based side channel in the RSA implementation allows local attacker to recover information about RSA secret keys

Debian Bug report logs - #877436
botan1.10: CVE-2017-14737: A cryptographic cache-based side channel in the RSA implementation allows local attacker to recover information about RSA secret keys

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: botan1.10: CVE-2017-14737:A cryptographic cache-based side channel in the RSA implementation allows local attacker to recover information about RSA secret keys

Date: Sun, 01 Oct 2017 20:55:11 +0200

Source: botan1.10
Version: 1.10.16-1
Severity: grave
Tags: patch upstream security
Forwarded: https://github.com/randombit/botan/issues/1222

Hi,

the following vulnerability was published for botan1.10.

CVE-2017-14737[0]:
| A cryptographic cache-based side channel in the RSA implementation in
| Botan before 1.10.17, and 1.11.x and 2.x before 2.3.0, allows a local
| attacker to recover information about RSA secret keys, as demonstrated
| by CacheD. This occurs because an array is indexed with bits derived
| from a secret key.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14737
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14737
[1] https://github.com/randombit/botan/issues/1222

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 877436@bugs.debian.org (full text, mbox, reply):

From: zeha@debian.org

To: 877436@bugs.debian.org

Subject: botan1.10: diff for NMU version 1.10.17-0.1

Date: Mon, 09 Oct 2017 09:33:03 +0000

Control: tags 877436 + pending

Dear Ondřej,

I've prepared an NMU for botan1.10 (versioned as 1.10.17-0.1) and
will upload it to DELAYED/4. Please feel free to tell me if I
should delay it longer.

Cheers,
Chris


diff -Nru botan1.10-1.10.16/botan_version.py botan1.10-1.10.17/botan_version.py
--- botan1.10-1.10.16/botan_version.py	2017-04-05 01:07:02.000000000 +0000
+++ botan1.10-1.10.17/botan_version.py	2017-10-02 06:00:00.000000000 +0000
@@ -1,11 +1,11 @@
 
 release_major = 1
 release_minor = 10
-release_patch = 16
+release_patch = 17
 
 release_so_abi_rev = 1
 
 # These are set by the distribution script
-release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
-release_datestamp = 20170404
-release_type = 'released'
+release_vc_rev = 'git:f7fe6beb5b3b6f944aa7bac491a3455e48ef6ebb'
+release_datestamp = 20171002
+release_type = 'release'
diff -Nru botan1.10-1.10.16/configure.py botan1.10-1.10.17/configure.py
--- botan1.10-1.10.16/configure.py	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/configure.py	2017-10-02 06:00:00.000000000 +0000
@@ -59,9 +59,6 @@
         logging.debug('Monotone reported revision %s' % (rev))
 
         return 'mtn:' + rev
-    except OSError as e:
-        logging.debug('Error getting rev from monotone - %s' % (e[1]))
-        return 'unknown'
     except Exception as e:
         logging.debug('Error getting rev from monotone - %s' % (e))
         return 'unknown'
diff -Nru botan1.10-1.10.16/debian/changelog botan1.10-1.10.17/debian/changelog
--- botan1.10-1.10.16/debian/changelog	2017-05-29 11:45:02.000000000 +0000
+++ botan1.10-1.10.17/debian/changelog	2017-10-09 09:19:15.000000000 +0000
@@ -1,3 +1,13 @@
+botan1.10 (1.10.17-0.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release 1.10.17 (Closes: #877436)
+    + [CVE-2017-14737]: Side channel affecting modular exponentiation
+    + Upstream has imported Debian architecture support patches, removed
+      them.
+
+ -- Christian Hofstaedtler <zeha@debian.org>  Mon, 09 Oct 2017 09:19:15 +0000
+
 botan1.10 (1.10.16-1) unstable; urgency=high
 
   * Update d/watch to match new upstream download directory
diff -Nru botan1.10-1.10.16/debian/patches/0001-add-mips64-mipsn32-support.patch botan1.10-1.10.17/debian/patches/0001-add-mips64-mipsn32-support.patch
--- botan1.10-1.10.16/debian/patches/0001-add-mips64-mipsn32-support.patch	2017-05-29 11:45:02.000000000 +0000
+++ botan1.10-1.10.17/debian/patches/0001-add-mips64-mipsn32-support.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,64 +0,0 @@
-From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
-Date: Tue, 29 Nov 2016 15:10:20 +0100
-Subject: add-mips64-mipsn32-support
-
----
- src/build-data/arch/mipsn32.txt | 22 ++++++++++++++++++++++
- src/build-data/cc/clang.txt     |  2 ++
- src/build-data/cc/gcc.txt       |  1 +
- 3 files changed, 25 insertions(+)
- create mode 100644 src/build-data/arch/mipsn32.txt
-
-diff --git a/src/build-data/arch/mipsn32.txt b/src/build-data/arch/mipsn32.txt
-new file mode 100644
-index 0000000..96ced25
---- /dev/null
-+++ b/src/build-data/arch/mipsn32.txt
-@@ -0,0 +1,22 @@
-+<aliases>
-+mipsn32el # For Debian
-+</aliases>
-+
-+<submodels>
-+r4000
-+r4100
-+r4300
-+r4400
-+r4600
-+r4560
-+r5000
-+r8000
-+r10000
-+</submodels>
-+
-+<submodel_aliases>
-+r4k -> r4000
-+r5k -> r5000
-+r8k -> r8000
-+r10k -> r10000
-+</submodel_aliases>
-diff --git a/src/build-data/cc/clang.txt b/src/build-data/cc/clang.txt
-index cbcfd89..23237e3 100644
---- a/src/build-data/cc/clang.txt
-+++ b/src/build-data/cc/clang.txt
-@@ -39,6 +39,8 @@ westmere  -> "-march=corei7 -maes"
- 
- <mach_abi_linking>
- x86_64  -> "-m64"
-+mips32  -> "-mabi=32"
-+mipsn32  -> "-mabi=n32"
- mips64  -> "-mabi=64"
- s390    -> "-m31"
- s390x   -> "-m64"
-diff --git a/src/build-data/cc/gcc.txt b/src/build-data/cc/gcc.txt
-index 1fc6831..938c065 100644
---- a/src/build-data/cc/gcc.txt
-+++ b/src/build-data/cc/gcc.txt
-@@ -80,6 +80,7 @@ hppa      -> "-march=SUBMODEL" hppa
- ia64      -> "-mtune=SUBMODEL"
- m68k      -> "-mSUBMODEL"
- mips32    -> "-mips1 -mcpu=SUBMODEL" mips32-
-+mipsn32    -> "-mips3 -mcpu=SUBMODEL" mips64-
- mips64    -> "-mips3 -mcpu=SUBMODEL" mips64-
- ppc32     -> "-mcpu=SUBMODEL" ppc
- ppc64     -> "-mcpu=SUBMODEL" ppc
diff -Nru botan1.10-1.10.16/debian/patches/0002-add-powerpc64le-support.patch botan1.10-1.10.17/debian/patches/0002-add-powerpc64le-support.patch
--- botan1.10-1.10.16/debian/patches/0002-add-powerpc64le-support.patch	2017-05-29 11:45:02.000000000 +0000
+++ botan1.10-1.10.17/debian/patches/0002-add-powerpc64le-support.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,109 +0,0 @@
-From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
-Date: Tue, 29 Nov 2016 15:10:20 +0100
-Subject: add-powerpc64le-support
-
----
- src/build-data/arch/ppc64.txt   |  5 ++++-
- src/build-data/arch/ppc64le.txt | 21 +++++++++++++++++++++
- src/build-data/cc/gcc.txt       |  1 +
- src/math/mp/mp_asm64/info.txt   |  1 +
- src/utils/cpuid.cpp             |  6 ++++++
- 5 files changed, 33 insertions(+), 1 deletion(-)
- create mode 100644 src/build-data/arch/ppc64le.txt
-
-diff --git a/src/build-data/arch/ppc64.txt b/src/build-data/arch/ppc64.txt
-index 954d918..f6f568e 100644
---- a/src/build-data/arch/ppc64.txt
-+++ b/src/build-data/arch/ppc64.txt
-@@ -17,6 +17,9 @@ power4
- power5
- power6
- power7
-+power7p
-+power8
-+power8e
- cellppu
- </submodels>
- 
-@@ -25,5 +28,5 @@ cellbroadbandengine -> cellppu
- </submodel_aliases>
- 
- <isa_extn>
--altivec:cellppu,ppc970,power6,power7
-+altivec:cellppu,ppc970,power6,power7,power7p,power8,power8e
- </isa_extn>
-diff --git a/src/build-data/arch/ppc64le.txt b/src/build-data/arch/ppc64le.txt
-new file mode 100644
-index 0000000..da93668
---- /dev/null
-+++ b/src/build-data/arch/ppc64le.txt
-@@ -0,0 +1,21 @@
-+endian little
-+
-+family ppc
-+
-+<aliases>
-+powerpc64le
-+ppc64el
-+</aliases>
-+
-+<submodels>
-+power7
-+power7p
-+power8
-+power8e
-+</submodels>
-+
-+# This should be enabled for all targets, but the Altivec code currently
-+# makes lots of endian assumptions that I don't have the time to fix up:
-+#<isa_extn>
-+#altivec:all
-+#</isa_extn>
-diff --git a/src/build-data/cc/gcc.txt b/src/build-data/cc/gcc.txt
-index 938c065..32e19c9 100644
---- a/src/build-data/cc/gcc.txt
-+++ b/src/build-data/cc/gcc.txt
-@@ -84,6 +84,7 @@ mipsn32    -> "-mips3 -mcpu=SUBMODEL" mips64-
- mips64    -> "-mips3 -mcpu=SUBMODEL" mips64-
- ppc32     -> "-mcpu=SUBMODEL" ppc
- ppc64     -> "-mcpu=SUBMODEL" ppc
-+ppc64le   -> "-mcpu=power7 -mtune=power8" ppc
- sparc32   -> "-mcpu=SUBMODEL -Wa,-xarch=v8plus" sparc32-
- sparc64   -> "-mcpu=v9 -mtune=SUBMODEL"
- x86_32    -> "-march=SUBMODEL -momit-leaf-frame-pointer"
-diff --git a/src/math/mp/mp_asm64/info.txt b/src/math/mp/mp_asm64/info.txt
-index 9af7c4a..2704718 100644
---- a/src/math/mp/mp_asm64/info.txt
-+++ b/src/math/mp/mp_asm64/info.txt
-@@ -12,6 +12,7 @@ alpha
- ia64
- mips64
- ppc64
-+ppc64le
- sparc64
- </arch>
- 
-diff --git a/src/utils/cpuid.cpp b/src/utils/cpuid.cpp
-index f6581f0..eba5b18 100644
---- a/src/utils/cpuid.cpp
-+++ b/src/utils/cpuid.cpp
-@@ -157,6 +157,9 @@ bool altivec_check_pvr_emul()
-    const u16bit PVR_G5_970GX = 0x0045;
-    const u16bit PVR_POWER6   = 0x003E;
-    const u16bit PVR_POWER7   = 0x003F;
-+   const u16bit PVR_POWER7p  = 0x004A;
-+   const u16bit PVR_POWER8   = 0x004D;
-+   const u16bit PVR_POWER8E  = 0x004B;
-    const u16bit PVR_CELL_PPU = 0x0070;
- 
-    // Motorola produced G4s with PVR 0x800[0123C] (at least)
-@@ -177,6 +180,9 @@ bool altivec_check_pvr_emul()
-    altivec_capable |= (pvr == PVR_G5_970GX);
-    altivec_capable |= (pvr == PVR_POWER6);
-    altivec_capable |= (pvr == PVR_POWER7);
-+   altivec_capable |= (pvr == PVR_POWER7p);
-+   altivec_capable |= (pvr == PVR_POWER8);
-+   altivec_capable |= (pvr == PVR_POWER8E);
-    altivec_capable |= (pvr == PVR_CELL_PPU);
- #endif
- 
diff -Nru botan1.10-1.10.16/debian/patches/0003-add-arm64-support.patch.patch botan1.10-1.10.17/debian/patches/0003-add-arm64-support.patch.patch
--- botan1.10-1.10.16/debian/patches/0003-add-arm64-support.patch.patch	2017-05-29 11:45:02.000000000 +0000
+++ botan1.10-1.10.17/debian/patches/0003-add-arm64-support.patch.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,47 +0,0 @@
-From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
-Date: Tue, 29 Nov 2016 15:10:20 +0100
-Subject: add-arm64-support.patch
-
----
- src/build-data/arch/aarch64.txt | 6 ++++++
- src/build-data/cc/gcc.txt       | 1 +
- src/math/mp/mp_asm64/info.txt   | 1 +
- 3 files changed, 8 insertions(+)
- create mode 100644 src/build-data/arch/aarch64.txt
-
-diff --git a/src/build-data/arch/aarch64.txt b/src/build-data/arch/aarch64.txt
-new file mode 100644
-index 0000000..863b000
---- /dev/null
-+++ b/src/build-data/arch/aarch64.txt
-@@ -0,0 +1,6 @@
-+endian little
-+
-+<aliases>
-+arm64 # For Debian
-+</aliases>
-+
-diff --git a/src/build-data/cc/gcc.txt b/src/build-data/cc/gcc.txt
-index 32e19c9..db729b4 100644
---- a/src/build-data/cc/gcc.txt
-+++ b/src/build-data/cc/gcc.txt
-@@ -75,6 +75,7 @@ sh4         -> "-m4 -mieee"
- 
- alpha     -> "-mcpu=SUBMODEL" alpha-
- arm       -> "-march=SUBMODEL"
-+aarch64   -> "-mtune=generic"
- superh    -> "-mSUBMODEL" sh
- hppa      -> "-march=SUBMODEL" hppa
- ia64      -> "-mtune=SUBMODEL"
-diff --git a/src/math/mp/mp_asm64/info.txt b/src/math/mp/mp_asm64/info.txt
-index 2704718..2664740 100644
---- a/src/math/mp/mp_asm64/info.txt
-+++ b/src/math/mp/mp_asm64/info.txt
-@@ -8,6 +8,7 @@ mp_generic:mp_asmi.h
- </header:internal>
- 
- <arch>
-+aarch64
- alpha
- ia64
- mips64
diff -Nru botan1.10-1.10.16/debian/patches/0004-add-or1k-support.patch botan1.10-1.10.17/debian/patches/0004-add-or1k-support.patch
--- botan1.10-1.10.16/debian/patches/0004-add-or1k-support.patch	2017-05-29 11:45:02.000000000 +0000
+++ botan1.10-1.10.17/debian/patches/0004-add-or1k-support.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,19 +0,0 @@
-From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
-Date: Tue, 29 Nov 2016 15:10:20 +0100
-Subject: add-or1k-support
-
----
- src/build-data/arch/or1k.txt | 4 ++++
- 1 file changed, 4 insertions(+)
- create mode 100644 src/build-data/arch/or1k.txt
-
-diff --git a/src/build-data/arch/or1k.txt b/src/build-data/arch/or1k.txt
-new file mode 100644
-index 0000000..c5fdc32
---- /dev/null
-+++ b/src/build-data/arch/or1k.txt
-@@ -0,0 +1,4 @@
-+endian big
-+<submodels>
-+or1k
-+</submodels>
diff -Nru botan1.10-1.10.16/debian/patches/series botan1.10-1.10.17/debian/patches/series
--- botan1.10-1.10.16/debian/patches/series	2017-05-29 11:45:02.000000000 +0000
+++ botan1.10-1.10.17/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
@@ -1,4 +0,0 @@
-0001-add-mips64-mipsn32-support.patch
-0002-add-powerpc64le-support.patch
-0003-add-arm64-support.patch.patch
-0004-add-or1k-support.patch
diff -Nru botan1.10-1.10.16/doc/log.txt botan1.10-1.10.17/doc/log.txt
--- botan1.10-1.10.16/doc/log.txt	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/doc/log.txt	2017-10-02 06:00:00.000000000 +0000
@@ -7,6 +7,36 @@
 Series 1.10
 ----------------------------------------
 
+Version 1.10.17, 1.10.17
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Address a side channel affecting modular exponentiation. An attacker
+  capabable of a local or cross-VM cache analysis attack may be able
+  to recover bits of secret exponents as used in RSA, DH, etc.
+  CVE-2017-14737
+
+* Workaround a miscompilation bug in GCC 7 on x86-32 affecting GOST-34.11
+  hash function. (GH #1192 #1148 #882)
+
+* Add SecureVector::data() function which returns the start of the
+  buffer. This makes it slightly simpler to support both 1.10 and 2.x
+  APIs in the same codebase.
+
+* When compiled by a C++11 (or later) compiler, a template typedef of
+  SecureVector, secure_vector, is added. In 2.x this class is a
+  std::vector with a custom allocator, so has a somewhat different
+  interface than SecureVector in 1.10. But this makes it slightly
+  simpler to support both 1.10 and 2.x APIs in the same codebase.
+
+* Fix a bug that prevented `configure.py` from running under Python3
+
+* Botan 1.10.x does not support the OpenSSL 1.1 API. Now the build
+  will `#error` if OpenSSL 1.1 is detected. Avoid `--with-openssl`
+  if compiling against 1.1 or later. (GH #753)
+
+* Import patches from Debian adding basic support for building on
+  aarch64, ppc64le, or1k, and mipsn32 platforms.
+
 Version 1.10.16, 2017-04-04
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff -Nru botan1.10-1.10.16/readme.txt botan1.10-1.10.17/readme.txt
--- botan1.10-1.10.16/readme.txt	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/readme.txt	2017-10-02 06:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 
 This branch (1.10) of Botan is only supported for security fixes until
-the end of 2017. Please upgrade to 2.0 API as soon as possible.
+the end of 2017. Please upgrade to 2.x as soon as possible.
 
 
 Botan is a C++ library for performing a wide variety of cryptographic
diff -Nru botan1.10-1.10.16/src/alloc/secmem.h botan1.10-1.10.17/src/alloc/secmem.h
--- botan1.10-1.10.16/src/alloc/secmem.h	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/alloc/secmem.h	2017-10-02 06:00:00.000000000 +0000
@@ -50,6 +50,12 @@
       * Get a pointer to the first element in the buffer.
       * @return pointer to the first element in the buffer
       */
+      T* data() { return buf; }
+
+      /**
+      * Get a pointer to the first element in the buffer.
+      * @return pointer to the first element in the buffer
+      */
       T* begin() { return buf; }
 
       /**
@@ -369,6 +375,13 @@
          }
    };
 
+#if __cplusplus >= 201103
+
+// For better compatability with 2.x API
+  template<typename T>
+  using secure_vector = SecureVector<T>;
+#endif
+
 template<typename T>
 MemoryRegion<T>& operator+=(MemoryRegion<T>& out,
                             const MemoryRegion<T>& in)
diff -Nru botan1.10-1.10.16/src/build-data/arch/aarch64.txt botan1.10-1.10.17/src/build-data/arch/aarch64.txt
--- botan1.10-1.10.16/src/build-data/arch/aarch64.txt	1970-01-01 00:00:00.000000000 +0000
+++ botan1.10-1.10.17/src/build-data/arch/aarch64.txt	2017-10-02 06:00:00.000000000 +0000
@@ -0,0 +1,6 @@
+endian little
+
+<aliases>
+arm64 # For Debian
+</aliases>
+
diff -Nru botan1.10-1.10.16/src/build-data/arch/mipsn32.txt botan1.10-1.10.17/src/build-data/arch/mipsn32.txt
--- botan1.10-1.10.16/src/build-data/arch/mipsn32.txt	1970-01-01 00:00:00.000000000 +0000
+++ botan1.10-1.10.17/src/build-data/arch/mipsn32.txt	2017-10-02 06:00:00.000000000 +0000
@@ -0,0 +1,22 @@
+<aliases>
+mipsn32el # For Debian
+</aliases>
+
+<submodels>
+r4000
+r4100
+r4300
+r4400
+r4600
+r4560
+r5000
+r8000
+r10000
+</submodels>
+
+<submodel_aliases>
+r4k -> r4000
+r5k -> r5000
+r8k -> r8000
+r10k -> r10000
+</submodel_aliases>
diff -Nru botan1.10-1.10.16/src/build-data/arch/or1k.txt botan1.10-1.10.17/src/build-data/arch/or1k.txt
--- botan1.10-1.10.16/src/build-data/arch/or1k.txt	1970-01-01 00:00:00.000000000 +0000
+++ botan1.10-1.10.17/src/build-data/arch/or1k.txt	2017-10-02 06:00:00.000000000 +0000
@@ -0,0 +1,4 @@
+endian big
+<submodels>
+or1k
+</submodels>
diff -Nru botan1.10-1.10.16/src/build-data/arch/ppc64le.txt botan1.10-1.10.17/src/build-data/arch/ppc64le.txt
--- botan1.10-1.10.16/src/build-data/arch/ppc64le.txt	1970-01-01 00:00:00.000000000 +0000
+++ botan1.10-1.10.17/src/build-data/arch/ppc64le.txt	2017-10-02 06:00:00.000000000 +0000
@@ -0,0 +1,21 @@
+endian little
+
+family ppc
+
+<aliases>
+powerpc64le
+ppc64el
+</aliases>
+
+<submodels>
+power7
+power7p
+power8
+power8e
+</submodels>
+
+# This should be enabled for all targets, but the Altivec code currently
+# makes lots of endian assumptions that I don't have the time to fix up:
+#<isa_extn>
+#altivec:all
+#</isa_extn>
diff -Nru botan1.10-1.10.16/src/build-data/arch/ppc64.txt botan1.10-1.10.17/src/build-data/arch/ppc64.txt
--- botan1.10-1.10.16/src/build-data/arch/ppc64.txt	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/build-data/arch/ppc64.txt	2017-10-02 06:00:00.000000000 +0000
@@ -17,6 +17,9 @@
 power5
 power6
 power7
+power7p
+power8
+power8e
 cellppu
 </submodels>
 
@@ -25,5 +28,5 @@
 </submodel_aliases>
 
 <isa_extn>
-altivec:cellppu,ppc970,power6,power7
+altivec:cellppu,ppc970,power6,power7,power7p,power8,power8e
 </isa_extn>
diff -Nru botan1.10-1.10.16/src/build-data/cc/clang.txt botan1.10-1.10.17/src/build-data/cc/clang.txt
--- botan1.10-1.10.16/src/build-data/cc/clang.txt	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/build-data/cc/clang.txt	2017-10-02 06:00:00.000000000 +0000
@@ -39,6 +39,8 @@
 
 <mach_abi_linking>
 x86_64  -> "-m64"
+mips32  -> "-mabi=32"
+mipsn32  -> "-mabi=n32"
 mips64  -> "-mabi=64"
 s390    -> "-m31"
 s390x   -> "-m64"
diff -Nru botan1.10-1.10.16/src/build-data/cc/gcc.txt botan1.10-1.10.17/src/build-data/cc/gcc.txt
--- botan1.10-1.10.16/src/build-data/cc/gcc.txt	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/build-data/cc/gcc.txt	2017-10-02 06:00:00.000000000 +0000
@@ -75,14 +75,17 @@
 
 alpha     -> "-mcpu=SUBMODEL" alpha-
 arm       -> "-march=SUBMODEL"
+aarch64   -> "-mtune=generic"
 superh    -> "-mSUBMODEL" sh
 hppa      -> "-march=SUBMODEL" hppa
 ia64      -> "-mtune=SUBMODEL"
 m68k      -> "-mSUBMODEL"
 mips32    -> "-mips1 -mcpu=SUBMODEL" mips32-
+mipsn32    -> "-mips3 -mcpu=SUBMODEL" mips64-
 mips64    -> "-mips3 -mcpu=SUBMODEL" mips64-
 ppc32     -> "-mcpu=SUBMODEL" ppc
 ppc64     -> "-mcpu=SUBMODEL" ppc
+ppc64le   -> "-mcpu=power7 -mtune=power8" ppc
 sparc32   -> "-mcpu=SUBMODEL -Wa,-xarch=v8plus" sparc32-
 sparc64   -> "-mcpu=v9 -mtune=SUBMODEL"
 x86_32    -> "-march=SUBMODEL -momit-leaf-frame-pointer"
@@ -98,6 +101,7 @@
 sparc32 -> "-m32 -mno-app-regs"
 sparc64 -> "-m64 -mno-app-regs"
 ppc64   -> "-m64"
+ppc64le -> "-m64"
 
 # This should probably be used on most/all targets, but the docs are unclear
 openbsd   -> "-pthread"
diff -Nru botan1.10-1.10.16/src/engine/openssl/ossl_bc.cpp botan1.10-1.10.17/src/engine/openssl/ossl_bc.cpp
--- botan1.10-1.10.16/src/engine/openssl/ossl_bc.cpp	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/engine/openssl/ossl_bc.cpp	2017-10-02 06:00:00.000000000 +0000
@@ -8,6 +8,10 @@
 #include <botan/internal/openssl_engine.h>
 #include <openssl/evp.h>
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+  #error "OpenSSL 1.1 API not supported in Botan 1.10, upgrade to 2.x"
+#endif
+
 namespace Botan {
 
 namespace {
diff -Nru botan1.10-1.10.16/src/engine/openssl/ossl_md.cpp botan1.10-1.10.17/src/engine/openssl/ossl_md.cpp
--- botan1.10-1.10.16/src/engine/openssl/ossl_md.cpp	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/engine/openssl/ossl_md.cpp	2017-10-02 06:00:00.000000000 +0000
@@ -8,6 +8,10 @@
 #include <botan/internal/openssl_engine.h>
 #include <openssl/evp.h>
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+  #error "OpenSSL 1.1 API not supported in Botan 1.10, upgrade to 2.x"
+#endif
+
 namespace Botan {
 
 namespace {
diff -Nru botan1.10-1.10.16/src/hash/gost_3411/gost_3411.cpp botan1.10-1.10.17/src/hash/gost_3411/gost_3411.cpp
--- botan1.10-1.10.16/src/hash/gost_3411/gost_3411.cpp	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/hash/gost_3411/gost_3411.cpp	2017-10-02 06:00:00.000000000 +0000
@@ -90,8 +90,11 @@
 
          // P transformation
          for(size_t k = 0; k != 4; ++k)
+            {
+            const uint64_t UVk = U[k] ^ V[k];
             for(size_t l = 0; l != 8; ++l)
-               key[4*l+k] = get_byte(l, U[k]) ^ get_byte(l, V[k]);
+               key[4*l+k] = get_byte(l, UVk);
+            }
 
          cipher.set_key(key, 32);
          cipher.encrypt(&hash[8*j], S + 8*j);
diff -Nru botan1.10-1.10.16/src/math/bigint/bigint.cpp botan1.10-1.10.17/src/math/bigint/bigint.cpp
--- botan1.10-1.10.16/src/math/bigint/bigint.cpp	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/math/bigint/bigint.cpp	2017-10-02 06:00:00.000000000 +0000
@@ -10,6 +10,7 @@
 #include <botan/get_byte.h>
 #include <botan/parsing.h>
 #include <botan/internal/rounding.h>
+#include <botan/internal/ct_utils.h>
 
 namespace Botan {
 
@@ -373,4 +374,25 @@
    binary_decode(buf, buf.size());
    }
 
+void BigInt::shrink_to_fit()
+   {
+   reg.resize(sig_words());
+   }
+
+void BigInt::const_time_lookup(SecureVector<word>& output,
+                               const std::vector<BigInt>& vec,
+                               size_t idx)
+   {
+   const size_t words = output.size();
+
+   clear_mem(output.data(), output.size());
+
+   for(size_t i = 0; i != vec.size(); ++i)
+      {
+      for(size_t w = 0; w != words; ++w)
+         output[w] |= CT::select<word>(CT::is_equal(i, idx), vec[i].word_at(w), 0);
+      }
+   }
+
+
 }
diff -Nru botan1.10-1.10.16/src/math/bigint/bigint.h botan1.10-1.10.17/src/math/bigint/bigint.h
--- botan1.10-1.10.16/src/math/bigint/bigint.h	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/math/bigint/bigint.h	2017-10-02 06:00:00.000000000 +0000
@@ -500,6 +500,12 @@
      */
      BigInt(NumberType type, size_t n);
 
+     void shrink_to_fit();
+
+     static void const_time_lookup(SecureVector<word>& output,
+                                   const std::vector<BigInt>& vec,
+                                   size_t idx);
+
    private:
       SecureVector<word> reg;
       Sign signedness;
diff -Nru botan1.10-1.10.16/src/math/mp/mp_asm64/info.txt botan1.10-1.10.17/src/math/mp/mp_asm64/info.txt
--- botan1.10-1.10.16/src/math/mp/mp_asm64/info.txt	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/math/mp/mp_asm64/info.txt	2017-10-02 06:00:00.000000000 +0000
@@ -8,10 +8,12 @@
 </header:internal>
 
 <arch>
+aarch64
 alpha
 ia64
 mips64
 ppc64
+ppc64le
 sparc64
 </arch>
 
diff -Nru botan1.10-1.10.16/src/math/numbertheory/powm_mnt.cpp botan1.10-1.10.17/src/math/numbertheory/powm_mnt.cpp
--- botan1.10-1.10.16/src/math/numbertheory/powm_mnt.cpp	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/math/numbertheory/powm_mnt.cpp	2017-10-02 06:00:00.000000000 +0000
@@ -68,6 +68,7 @@
                        &workspace[0]);
 
       g[i].assign(&z[0], mod_words + 1);
+      g[i].grow_to(mod_words);
       }
    }
 
@@ -81,6 +82,7 @@
    BigInt x = R_mod;
    SecureVector<word> z(2 * (mod_words + 1));
    SecureVector<word> workspace(2 * (mod_words + 1));
+   SecureVector<word> e(mod_words);
 
    for(size_t i = exp_nibbles; i > 0; --i)
       {
@@ -98,12 +100,13 @@
 
       const u32bit nibble = exp.get_substring(window_bits*(i-1), window_bits);
 
-      const BigInt& y = g[nibble];
-
       zeroise(z);
+
+      BigInt::const_time_lookup(e, g, nibble);
+
       bigint_monty_mul(&z[0], z.size(),
                        x.data(), x.size(), x.sig_words(),
-                       y.data(), y.size(), y.sig_words(),
+                       e.data(), e.size(), e.size(),
                        modulus.data(), mod_words, mod_prime,
                        &workspace[0]);
 
diff -Nru botan1.10-1.10.16/src/utils/cpuid.cpp botan1.10-1.10.17/src/utils/cpuid.cpp
--- botan1.10-1.10.16/src/utils/cpuid.cpp	2017-04-05 01:06:45.000000000 +0000
+++ botan1.10-1.10.17/src/utils/cpuid.cpp	2017-10-02 06:00:00.000000000 +0000
@@ -157,6 +157,9 @@
    const u16bit PVR_G5_970GX = 0x0045;
    const u16bit PVR_POWER6   = 0x003E;
    const u16bit PVR_POWER7   = 0x003F;
+   const u16bit PVR_POWER7p  = 0x004A;
+   const u16bit PVR_POWER8   = 0x004D;
+   const u16bit PVR_POWER8E  = 0x004B;
    const u16bit PVR_CELL_PPU = 0x0070;
 
    // Motorola produced G4s with PVR 0x800[0123C] (at least)
@@ -177,6 +180,9 @@
    altivec_capable |= (pvr == PVR_G5_970GX);
    altivec_capable |= (pvr == PVR_POWER6);
    altivec_capable |= (pvr == PVR_POWER7);
+   altivec_capable |= (pvr == PVR_POWER7p);
+   altivec_capable |= (pvr == PVR_POWER8);
+   altivec_capable |= (pvr == PVR_POWER8E);
    altivec_capable |= (pvr == PVR_CELL_PPU);
 #endif
 

Message #23 received at 877436@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Christian Hofstaedtler <zeha@debian.org>, 877436@bugs.debian.org

Subject: Re: Bug#877436: botan1.10: diff for NMU version 1.10.17-0.1

Date: Mon, 9 Oct 2017 13:28:23 +0200

[Message part 1 (text/plain, inline)]

No, please go ahead an upload directly.

Thanks for the NMU.

Ondrej

On 9 October 2017 at 11:33, <zeha@debian.org> wrote:

> Control: tags 877436 + pending
>
> Dear Ondřej,
>
> I've prepared an NMU for botan1.10 (versioned as 1.10.17-0.1) and
> will upload it to DELAYED/4. Please feel free to tell me if I
> should delay it longer.
>
> Cheers,
> Chris
>
>
> diff -Nru botan1.10-1.10.16/botan_version.py botan1.10-1.10.17/botan_
> version.py
> --- botan1.10-1.10.16/botan_version.py  2017-04-05 01:07:02.000000000
> +0000
> +++ botan1.10-1.10.17/botan_version.py  2017-10-02 06:00:00.000000000
> +0000
> @@ -1,11 +1,11 @@
>
>  release_major = 1
>  release_minor = 10
> -release_patch = 16
> +release_patch = 17
>
>  release_so_abi_rev = 1
>
>  # These are set by the distribution script
> -release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e'
> -release_datestamp = 20170404
> -release_type = 'released'
> +release_vc_rev = 'git:f7fe6beb5b3b6f944aa7bac491a3455e48ef6ebb'
> +release_datestamp = 20171002
> +release_type = 'release'
> diff -Nru botan1.10-1.10.16/configure.py botan1.10-1.10.17/configure.py
> --- botan1.10-1.10.16/configure.py      2017-04-05 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/configure.py      2017-10-02 06:00:00.000000000 +0000
> @@ -59,9 +59,6 @@
>          logging.debug('Monotone reported revision %s' % (rev))
>
>          return 'mtn:' + rev
> -    except OSError as e:
> -        logging.debug('Error getting rev from monotone - %s' % (e[1]))
> -        return 'unknown'
>      except Exception as e:
>          logging.debug('Error getting rev from monotone - %s' % (e))
>          return 'unknown'
> diff -Nru botan1.10-1.10.16/debian/changelog botan1.10-1.10.17/debian/
> changelog
> --- botan1.10-1.10.16/debian/changelog  2017-05-29 11:45:02.000000000
> +0000
> +++ botan1.10-1.10.17/debian/changelog  2017-10-09 09:19:15.000000000
> +0000
> @@ -1,3 +1,13 @@
> +botan1.10 (1.10.17-0.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * New upstream release 1.10.17 (Closes: #877436)
> +    + [CVE-2017-14737]: Side channel affecting modular exponentiation
> +    + Upstream has imported Debian architecture support patches, removed
> +      them.
> +
> + -- Christian Hofstaedtler <zeha@debian.org>  Mon, 09 Oct 2017 09:19:15
> +0000
> +
>  botan1.10 (1.10.16-1) unstable; urgency=high
>
>    * Update d/watch to match new upstream download directory
> diff -Nru botan1.10-1.10.16/debian/patches/0001-add-mips64-mipsn32-support.patch
> botan1.10-1.10.17/debian/patches/0001-add-mips64-mipsn32-support.patch
> --- botan1.10-1.10.16/debian/patches/0001-add-mips64-mipsn32-support.patch
>     2017-05-29 11:45:02.000000000 +0000
> +++ botan1.10-1.10.17/debian/patches/0001-add-mips64-mipsn32-support.patch
>     1970-01-01 00:00:00.000000000 +0000
> @@ -1,64 +0,0 @@
> -From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
> -Date: Tue, 29 Nov 2016 15:10:20 +0100
> -Subject: add-mips64-mipsn32-support
> -
> ----
> - src/build-data/arch/mipsn32.txt | 22 ++++++++++++++++++++++
> - src/build-data/cc/clang.txt     |  2 ++
> - src/build-data/cc/gcc.txt       |  1 +
> - 3 files changed, 25 insertions(+)
> - create mode 100644 src/build-data/arch/mipsn32.txt
> -
> -diff --git a/src/build-data/arch/mipsn32.txt
> b/src/build-data/arch/mipsn32.txt
> -new file mode 100644
> -index 0000000..96ced25
> ---- /dev/null
> -+++ b/src/build-data/arch/mipsn32.txt
> -@@ -0,0 +1,22 @@
> -+<aliases>
> -+mipsn32el # For Debian
> -+</aliases>
> -+
> -+<submodels>
> -+r4000
> -+r4100
> -+r4300
> -+r4400
> -+r4600
> -+r4560
> -+r5000
> -+r8000
> -+r10000
> -+</submodels>
> -+
> -+<submodel_aliases>
> -+r4k -> r4000
> -+r5k -> r5000
> -+r8k -> r8000
> -+r10k -> r10000
> -+</submodel_aliases>
> -diff --git a/src/build-data/cc/clang.txt b/src/build-data/cc/clang.txt
> -index cbcfd89..23237e3 100644
> ---- a/src/build-data/cc/clang.txt
> -+++ b/src/build-data/cc/clang.txt
> -@@ -39,6 +39,8 @@ westmere  -> "-march=corei7 -maes"
> -
> - <mach_abi_linking>
> - x86_64  -> "-m64"
> -+mips32  -> "-mabi=32"
> -+mipsn32  -> "-mabi=n32"
> - mips64  -> "-mabi=64"
> - s390    -> "-m31"
> - s390x   -> "-m64"
> -diff --git a/src/build-data/cc/gcc.txt b/src/build-data/cc/gcc.txt
> -index 1fc6831..938c065 100644
> ---- a/src/build-data/cc/gcc.txt
> -+++ b/src/build-data/cc/gcc.txt
> -@@ -80,6 +80,7 @@ hppa      -> "-march=SUBMODEL" hppa
> - ia64      -> "-mtune=SUBMODEL"
> - m68k      -> "-mSUBMODEL"
> - mips32    -> "-mips1 -mcpu=SUBMODEL" mips32-
> -+mipsn32    -> "-mips3 -mcpu=SUBMODEL" mips64-
> - mips64    -> "-mips3 -mcpu=SUBMODEL" mips64-
> - ppc32     -> "-mcpu=SUBMODEL" ppc
> - ppc64     -> "-mcpu=SUBMODEL" ppc
> diff -Nru botan1.10-1.10.16/debian/patches/0002-add-powerpc64le-support.patch
> botan1.10-1.10.17/debian/patches/0002-add-powerpc64le-support.patch
> --- botan1.10-1.10.16/debian/patches/0002-add-powerpc64le-support.patch
> 2017-05-29 11:45:02.000000000 +0000
> +++ botan1.10-1.10.17/debian/patches/0002-add-powerpc64le-support.patch
> 1970-01-01 00:00:00.000000000 +0000
> @@ -1,109 +0,0 @@
> -From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
> -Date: Tue, 29 Nov 2016 15:10:20 +0100
> -Subject: add-powerpc64le-support
> -
> ----
> - src/build-data/arch/ppc64.txt   |  5 ++++-
> - src/build-data/arch/ppc64le.txt | 21 +++++++++++++++++++++
> - src/build-data/cc/gcc.txt       |  1 +
> - src/math/mp/mp_asm64/info.txt   |  1 +
> - src/utils/cpuid.cpp             |  6 ++++++
> - 5 files changed, 33 insertions(+), 1 deletion(-)
> - create mode 100644 src/build-data/arch/ppc64le.txt
> -
> -diff --git a/src/build-data/arch/ppc64.txt b/src/build-data/arch/ppc64.
> txt
> -index 954d918..f6f568e 100644
> ---- a/src/build-data/arch/ppc64.txt
> -+++ b/src/build-data/arch/ppc64.txt
> -@@ -17,6 +17,9 @@ power4
> - power5
> - power6
> - power7
> -+power7p
> -+power8
> -+power8e
> - cellppu
> - </submodels>
> -
> -@@ -25,5 +28,5 @@ cellbroadbandengine -> cellppu
> - </submodel_aliases>
> -
> - <isa_extn>
> --altivec:cellppu,ppc970,power6,power7
> -+altivec:cellppu,ppc970,power6,power7,power7p,power8,power8e
> - </isa_extn>
> -diff --git a/src/build-data/arch/ppc64le.txt
> b/src/build-data/arch/ppc64le.txt
> -new file mode 100644
> -index 0000000..da93668
> ---- /dev/null
> -+++ b/src/build-data/arch/ppc64le.txt
> -@@ -0,0 +1,21 @@
> -+endian little
> -+
> -+family ppc
> -+
> -+<aliases>
> -+powerpc64le
> -+ppc64el
> -+</aliases>
> -+
> -+<submodels>
> -+power7
> -+power7p
> -+power8
> -+power8e
> -+</submodels>
> -+
> -+# This should be enabled for all targets, but the Altivec code currently
> -+# makes lots of endian assumptions that I don't have the time to fix up:
> -+#<isa_extn>
> -+#altivec:all
> -+#</isa_extn>
> -diff --git a/src/build-data/cc/gcc.txt b/src/build-data/cc/gcc.txt
> -index 938c065..32e19c9 100644
> ---- a/src/build-data/cc/gcc.txt
> -+++ b/src/build-data/cc/gcc.txt
> -@@ -84,6 +84,7 @@ mipsn32    -> "-mips3 -mcpu=SUBMODEL" mips64-
> - mips64    -> "-mips3 -mcpu=SUBMODEL" mips64-
> - ppc32     -> "-mcpu=SUBMODEL" ppc
> - ppc64     -> "-mcpu=SUBMODEL" ppc
> -+ppc64le   -> "-mcpu=power7 -mtune=power8" ppc
> - sparc32   -> "-mcpu=SUBMODEL -Wa,-xarch=v8plus" sparc32-
> - sparc64   -> "-mcpu=v9 -mtune=SUBMODEL"
> - x86_32    -> "-march=SUBMODEL -momit-leaf-frame-pointer"
> -diff --git a/src/math/mp/mp_asm64/info.txt b/src/math/mp/mp_asm64/info.
> txt
> -index 9af7c4a..2704718 100644
> ---- a/src/math/mp/mp_asm64/info.txt
> -+++ b/src/math/mp/mp_asm64/info.txt
> -@@ -12,6 +12,7 @@ alpha
> - ia64
> - mips64
> - ppc64
> -+ppc64le
> - sparc64
> - </arch>
> -
> -diff --git a/src/utils/cpuid.cpp b/src/utils/cpuid.cpp
> -index f6581f0..eba5b18 100644
> ---- a/src/utils/cpuid.cpp
> -+++ b/src/utils/cpuid.cpp
> -@@ -157,6 +157,9 @@ bool altivec_check_pvr_emul()
> -    const u16bit PVR_G5_970GX = 0x0045;
> -    const u16bit PVR_POWER6   = 0x003E;
> -    const u16bit PVR_POWER7   = 0x003F;
> -+   const u16bit PVR_POWER7p  = 0x004A;
> -+   const u16bit PVR_POWER8   = 0x004D;
> -+   const u16bit PVR_POWER8E  = 0x004B;
> -    const u16bit PVR_CELL_PPU = 0x0070;
> -
> -    // Motorola produced G4s with PVR 0x800[0123C] (at least)
> -@@ -177,6 +180,9 @@ bool altivec_check_pvr_emul()
> -    altivec_capable |= (pvr == PVR_G5_970GX);
> -    altivec_capable |= (pvr == PVR_POWER6);
> -    altivec_capable |= (pvr == PVR_POWER7);
> -+   altivec_capable |= (pvr == PVR_POWER7p);
> -+   altivec_capable |= (pvr == PVR_POWER8);
> -+   altivec_capable |= (pvr == PVR_POWER8E);
> -    altivec_capable |= (pvr == PVR_CELL_PPU);
> - #endif
> -
> diff -Nru botan1.10-1.10.16/debian/patches/0003-add-arm64-support.patch.patch
> botan1.10-1.10.17/debian/patches/0003-add-arm64-support.patch.patch
> --- botan1.10-1.10.16/debian/patches/0003-add-arm64-support.patch.patch
> 2017-05-29 11:45:02.000000000 +0000
> +++ botan1.10-1.10.17/debian/patches/0003-add-arm64-support.patch.patch
> 1970-01-01 00:00:00.000000000 +0000
> @@ -1,47 +0,0 @@
> -From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
> -Date: Tue, 29 Nov 2016 15:10:20 +0100
> -Subject: add-arm64-support.patch
> -
> ----
> - src/build-data/arch/aarch64.txt | 6 ++++++
> - src/build-data/cc/gcc.txt       | 1 +
> - src/math/mp/mp_asm64/info.txt   | 1 +
> - 3 files changed, 8 insertions(+)
> - create mode 100644 src/build-data/arch/aarch64.txt
> -
> -diff --git a/src/build-data/arch/aarch64.txt
> b/src/build-data/arch/aarch64.txt
> -new file mode 100644
> -index 0000000..863b000
> ---- /dev/null
> -+++ b/src/build-data/arch/aarch64.txt
> -@@ -0,0 +1,6 @@
> -+endian little
> -+
> -+<aliases>
> -+arm64 # For Debian
> -+</aliases>
> -+
> -diff --git a/src/build-data/cc/gcc.txt b/src/build-data/cc/gcc.txt
> -index 32e19c9..db729b4 100644
> ---- a/src/build-data/cc/gcc.txt
> -+++ b/src/build-data/cc/gcc.txt
> -@@ -75,6 +75,7 @@ sh4         -> "-m4 -mieee"
> -
> - alpha     -> "-mcpu=SUBMODEL" alpha-
> - arm       -> "-march=SUBMODEL"
> -+aarch64   -> "-mtune=generic"
> - superh    -> "-mSUBMODEL" sh
> - hppa      -> "-march=SUBMODEL" hppa
> - ia64      -> "-mtune=SUBMODEL"
> -diff --git a/src/math/mp/mp_asm64/info.txt b/src/math/mp/mp_asm64/info.
> txt
> -index 2704718..2664740 100644
> ---- a/src/math/mp/mp_asm64/info.txt
> -+++ b/src/math/mp/mp_asm64/info.txt
> -@@ -8,6 +8,7 @@ mp_generic:mp_asmi.h
> - </header:internal>
> -
> - <arch>
> -+aarch64
> - alpha
> - ia64
> - mips64
> diff -Nru botan1.10-1.10.16/debian/patches/0004-add-or1k-support.patch
> botan1.10-1.10.17/debian/patches/0004-add-or1k-support.patch
> --- botan1.10-1.10.16/debian/patches/0004-add-or1k-support.patch
> 2017-05-29 11:45:02.000000000 +0000
> +++ botan1.10-1.10.17/debian/patches/0004-add-or1k-support.patch
> 1970-01-01 00:00:00.000000000 +0000
> @@ -1,19 +0,0 @@
> -From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@debian.org>
> -Date: Tue, 29 Nov 2016 15:10:20 +0100
> -Subject: add-or1k-support
> -
> ----
> - src/build-data/arch/or1k.txt | 4 ++++
> - 1 file changed, 4 insertions(+)
> - create mode 100644 src/build-data/arch/or1k.txt
> -
> -diff --git a/src/build-data/arch/or1k.txt b/src/build-data/arch/or1k.txt
> -new file mode 100644
> -index 0000000..c5fdc32
> ---- /dev/null
> -+++ b/src/build-data/arch/or1k.txt
> -@@ -0,0 +1,4 @@
> -+endian big
> -+<submodels>
> -+or1k
> -+</submodels>
> diff -Nru botan1.10-1.10.16/debian/patches/series
> botan1.10-1.10.17/debian/patches/series
> --- botan1.10-1.10.16/debian/patches/series     2017-05-29
> 11:45:02.000000000 +0000
> +++ botan1.10-1.10.17/debian/patches/series     1970-01-01
> 00:00:00.000000000 +0000
> @@ -1,4 +0,0 @@
> -0001-add-mips64-mipsn32-support.patch
> -0002-add-powerpc64le-support.patch
> -0003-add-arm64-support.patch.patch
> -0004-add-or1k-support.patch
> diff -Nru botan1.10-1.10.16/doc/log.txt botan1.10-1.10.17/doc/log.txt
> --- botan1.10-1.10.16/doc/log.txt       2017-04-05 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/doc/log.txt       2017-10-02 06:00:00.000000000 +0000
> @@ -7,6 +7,36 @@
>  Series 1.10
>  ----------------------------------------
>
> +Version 1.10.17, 1.10.17
> +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> +
> +* Address a side channel affecting modular exponentiation. An attacker
> +  capabable of a local or cross-VM cache analysis attack may be able
> +  to recover bits of secret exponents as used in RSA, DH, etc.
> +  CVE-2017-14737
> +
> +* Workaround a miscompilation bug in GCC 7 on x86-32 affecting GOST-34.11
> +  hash function. (GH #1192 #1148 #882)
> +
> +* Add SecureVector::data() function which returns the start of the
> +  buffer. This makes it slightly simpler to support both 1.10 and 2.x
> +  APIs in the same codebase.
> +
> +* When compiled by a C++11 (or later) compiler, a template typedef of
> +  SecureVector, secure_vector, is added. In 2.x this class is a
> +  std::vector with a custom allocator, so has a somewhat different
> +  interface than SecureVector in 1.10. But this makes it slightly
> +  simpler to support both 1.10 and 2.x APIs in the same codebase.
> +
> +* Fix a bug that prevented `configure.py` from running under Python3
> +
> +* Botan 1.10.x does not support the OpenSSL 1.1 API. Now the build
> +  will `#error` if OpenSSL 1.1 is detected. Avoid `--with-openssl`
> +  if compiling against 1.1 or later. (GH #753)
> +
> +* Import patches from Debian adding basic support for building on
> +  aarch64, ppc64le, or1k, and mipsn32 platforms.
> +
>  Version 1.10.16, 2017-04-04
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> diff -Nru botan1.10-1.10.16/readme.txt botan1.10-1.10.17/readme.txt
> --- botan1.10-1.10.16/readme.txt        2017-04-05 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/readme.txt        2017-10-02 06:00:00.000000000 +0000
> @@ -1,6 +1,6 @@
>
>  This branch (1.10) of Botan is only supported for security fixes until
> -the end of 2017. Please upgrade to 2.0 API as soon as possible.
> +the end of 2017. Please upgrade to 2.x as soon as possible.
>
>
>  Botan is a C++ library for performing a wide variety of cryptographic
> diff -Nru botan1.10-1.10.16/src/alloc/secmem.h
> botan1.10-1.10.17/src/alloc/secmem.h
> --- botan1.10-1.10.16/src/alloc/secmem.h        2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/alloc/secmem.h        2017-10-02
> 06:00:00.000000000 +0000
> @@ -50,6 +50,12 @@
>        * Get a pointer to the first element in the buffer.
>        * @return pointer to the first element in the buffer
>        */
> +      T* data() { return buf; }
> +
> +      /**
> +      * Get a pointer to the first element in the buffer.
> +      * @return pointer to the first element in the buffer
> +      */
>        T* begin() { return buf; }
>
>        /**
> @@ -369,6 +375,13 @@
>           }
>     };
>
> +#if __cplusplus >= 201103
> +
> +// For better compatability with 2.x API
> +  template<typename T>
> +  using secure_vector = SecureVector<T>;
> +#endif
> +
>  template<typename T>
>  MemoryRegion<T>& operator+=(MemoryRegion<T>& out,
>                              const MemoryRegion<T>& in)
> diff -Nru botan1.10-1.10.16/src/build-data/arch/aarch64.txt
> botan1.10-1.10.17/src/build-data/arch/aarch64.txt
> --- botan1.10-1.10.16/src/build-data/arch/aarch64.txt   1970-01-01
> 00:00:00.000000000 +0000
> +++ botan1.10-1.10.17/src/build-data/arch/aarch64.txt   2017-10-02
> 06:00:00.000000000 +0000
> @@ -0,0 +1,6 @@
> +endian little
> +
> +<aliases>
> +arm64 # For Debian
> +</aliases>
> +
> diff -Nru botan1.10-1.10.16/src/build-data/arch/mipsn32.txt
> botan1.10-1.10.17/src/build-data/arch/mipsn32.txt
> --- botan1.10-1.10.16/src/build-data/arch/mipsn32.txt   1970-01-01
> 00:00:00.000000000 +0000
> +++ botan1.10-1.10.17/src/build-data/arch/mipsn32.txt   2017-10-02
> 06:00:00.000000000 +0000
> @@ -0,0 +1,22 @@
> +<aliases>
> +mipsn32el # For Debian
> +</aliases>
> +
> +<submodels>
> +r4000
> +r4100
> +r4300
> +r4400
> +r4600
> +r4560
> +r5000
> +r8000
> +r10000
> +</submodels>
> +
> +<submodel_aliases>
> +r4k -> r4000
> +r5k -> r5000
> +r8k -> r8000
> +r10k -> r10000
> +</submodel_aliases>
> diff -Nru botan1.10-1.10.16/src/build-data/arch/or1k.txt
> botan1.10-1.10.17/src/build-data/arch/or1k.txt
> --- botan1.10-1.10.16/src/build-data/arch/or1k.txt      1970-01-01
> 00:00:00.000000000 +0000
> +++ botan1.10-1.10.17/src/build-data/arch/or1k.txt      2017-10-02
> 06:00:00.000000000 +0000
> @@ -0,0 +1,4 @@
> +endian big
> +<submodels>
> +or1k
> +</submodels>
> diff -Nru botan1.10-1.10.16/src/build-data/arch/ppc64le.txt
> botan1.10-1.10.17/src/build-data/arch/ppc64le.txt
> --- botan1.10-1.10.16/src/build-data/arch/ppc64le.txt   1970-01-01
> 00:00:00.000000000 +0000
> +++ botan1.10-1.10.17/src/build-data/arch/ppc64le.txt   2017-10-02
> 06:00:00.000000000 +0000
> @@ -0,0 +1,21 @@
> +endian little
> +
> +family ppc
> +
> +<aliases>
> +powerpc64le
> +ppc64el
> +</aliases>
> +
> +<submodels>
> +power7
> +power7p
> +power8
> +power8e
> +</submodels>
> +
> +# This should be enabled for all targets, but the Altivec code currently
> +# makes lots of endian assumptions that I don't have the time to fix up:
> +#<isa_extn>
> +#altivec:all
> +#</isa_extn>
> diff -Nru botan1.10-1.10.16/src/build-data/arch/ppc64.txt
> botan1.10-1.10.17/src/build-data/arch/ppc64.txt
> --- botan1.10-1.10.16/src/build-data/arch/ppc64.txt     2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/build-data/arch/ppc64.txt     2017-10-02
> 06:00:00.000000000 +0000
> @@ -17,6 +17,9 @@
>  power5
>  power6
>  power7
> +power7p
> +power8
> +power8e
>  cellppu
>  </submodels>
>
> @@ -25,5 +28,5 @@
>  </submodel_aliases>
>
>  <isa_extn>
> -altivec:cellppu,ppc970,power6,power7
> +altivec:cellppu,ppc970,power6,power7,power7p,power8,power8e
>  </isa_extn>
> diff -Nru botan1.10-1.10.16/src/build-data/cc/clang.txt
> botan1.10-1.10.17/src/build-data/cc/clang.txt
> --- botan1.10-1.10.16/src/build-data/cc/clang.txt       2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/build-data/cc/clang.txt       2017-10-02
> 06:00:00.000000000 +0000
> @@ -39,6 +39,8 @@
>
>  <mach_abi_linking>
>  x86_64  -> "-m64"
> +mips32  -> "-mabi=32"
> +mipsn32  -> "-mabi=n32"
>  mips64  -> "-mabi=64"
>  s390    -> "-m31"
>  s390x   -> "-m64"
> diff -Nru botan1.10-1.10.16/src/build-data/cc/gcc.txt
> botan1.10-1.10.17/src/build-data/cc/gcc.txt
> --- botan1.10-1.10.16/src/build-data/cc/gcc.txt 2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/build-data/cc/gcc.txt 2017-10-02
> 06:00:00.000000000 +0000
> @@ -75,14 +75,17 @@
>
>  alpha     -> "-mcpu=SUBMODEL" alpha-
>  arm       -> "-march=SUBMODEL"
> +aarch64   -> "-mtune=generic"
>  superh    -> "-mSUBMODEL" sh
>  hppa      -> "-march=SUBMODEL" hppa
>  ia64      -> "-mtune=SUBMODEL"
>  m68k      -> "-mSUBMODEL"
>  mips32    -> "-mips1 -mcpu=SUBMODEL" mips32-
> +mipsn32    -> "-mips3 -mcpu=SUBMODEL" mips64-
>  mips64    -> "-mips3 -mcpu=SUBMODEL" mips64-
>  ppc32     -> "-mcpu=SUBMODEL" ppc
>  ppc64     -> "-mcpu=SUBMODEL" ppc
> +ppc64le   -> "-mcpu=power7 -mtune=power8" ppc
>  sparc32   -> "-mcpu=SUBMODEL -Wa,-xarch=v8plus" sparc32-
>  sparc64   -> "-mcpu=v9 -mtune=SUBMODEL"
>  x86_32    -> "-march=SUBMODEL -momit-leaf-frame-pointer"
> @@ -98,6 +101,7 @@
>  sparc32 -> "-m32 -mno-app-regs"
>  sparc64 -> "-m64 -mno-app-regs"
>  ppc64   -> "-m64"
> +ppc64le -> "-m64"
>
>  # This should probably be used on most/all targets, but the docs are
> unclear
>  openbsd   -> "-pthread"
> diff -Nru botan1.10-1.10.16/src/engine/openssl/ossl_bc.cpp
> botan1.10-1.10.17/src/engine/openssl/ossl_bc.cpp
> --- botan1.10-1.10.16/src/engine/openssl/ossl_bc.cpp    2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/engine/openssl/ossl_bc.cpp    2017-10-02
> 06:00:00.000000000 +0000
> @@ -8,6 +8,10 @@
>  #include <botan/internal/openssl_engine.h>
>  #include <openssl/evp.h>
>
> +#if OPENSSL_VERSION_NUMBER >= 0x10100000
> +  #error "OpenSSL 1.1 API not supported in Botan 1.10, upgrade to 2.x"
> +#endif
> +
>  namespace Botan {
>
>  namespace {
> diff -Nru botan1.10-1.10.16/src/engine/openssl/ossl_md.cpp
> botan1.10-1.10.17/src/engine/openssl/ossl_md.cpp
> --- botan1.10-1.10.16/src/engine/openssl/ossl_md.cpp    2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/engine/openssl/ossl_md.cpp    2017-10-02
> 06:00:00.000000000 +0000
> @@ -8,6 +8,10 @@
>  #include <botan/internal/openssl_engine.h>
>  #include <openssl/evp.h>
>
> +#if OPENSSL_VERSION_NUMBER >= 0x10100000
> +  #error "OpenSSL 1.1 API not supported in Botan 1.10, upgrade to 2.x"
> +#endif
> +
>  namespace Botan {
>
>  namespace {
> diff -Nru botan1.10-1.10.16/src/hash/gost_3411/gost_3411.cpp
> botan1.10-1.10.17/src/hash/gost_3411/gost_3411.cpp
> --- botan1.10-1.10.16/src/hash/gost_3411/gost_3411.cpp  2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/hash/gost_3411/gost_3411.cpp  2017-10-02
> 06:00:00.000000000 +0000
> @@ -90,8 +90,11 @@
>
>           // P transformation
>           for(size_t k = 0; k != 4; ++k)
> +            {
> +            const uint64_t UVk = U[k] ^ V[k];
>              for(size_t l = 0; l != 8; ++l)
> -               key[4*l+k] = get_byte(l, U[k]) ^ get_byte(l, V[k]);
> +               key[4*l+k] = get_byte(l, UVk);
> +            }
>
>           cipher.set_key(key, 32);
>           cipher.encrypt(&hash[8*j], S + 8*j);
> diff -Nru botan1.10-1.10.16/src/math/bigint/bigint.cpp
> botan1.10-1.10.17/src/math/bigint/bigint.cpp
> --- botan1.10-1.10.16/src/math/bigint/bigint.cpp        2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/math/bigint/bigint.cpp        2017-10-02
> 06:00:00.000000000 +0000
> @@ -10,6 +10,7 @@
>  #include <botan/get_byte.h>
>  #include <botan/parsing.h>
>  #include <botan/internal/rounding.h>
> +#include <botan/internal/ct_utils.h>
>
>  namespace Botan {
>
> @@ -373,4 +374,25 @@
>     binary_decode(buf, buf.size());
>     }
>
> +void BigInt::shrink_to_fit()
> +   {
> +   reg.resize(sig_words());
> +   }
> +
> +void BigInt::const_time_lookup(SecureVector<word>& output,
> +                               const std::vector<BigInt>& vec,
> +                               size_t idx)
> +   {
> +   const size_t words = output.size();
> +
> +   clear_mem(output.data(), output.size());
> +
> +   for(size_t i = 0; i != vec.size(); ++i)
> +      {
> +      for(size_t w = 0; w != words; ++w)
> +         output[w] |= CT::select<word>(CT::is_equal(i, idx),
> vec[i].word_at(w), 0);
> +      }
> +   }
> +
> +
>  }
> diff -Nru botan1.10-1.10.16/src/math/bigint/bigint.h
> botan1.10-1.10.17/src/math/bigint/bigint.h
> --- botan1.10-1.10.16/src/math/bigint/bigint.h  2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/math/bigint/bigint.h  2017-10-02
> 06:00:00.000000000 +0000
> @@ -500,6 +500,12 @@
>       */
>       BigInt(NumberType type, size_t n);
>
> +     void shrink_to_fit();
> +
> +     static void const_time_lookup(SecureVector<word>& output,
> +                                   const std::vector<BigInt>& vec,
> +                                   size_t idx);
> +
>     private:
>        SecureVector<word> reg;
>        Sign signedness;
> diff -Nru botan1.10-1.10.16/src/math/mp/mp_asm64/info.txt
> botan1.10-1.10.17/src/math/mp/mp_asm64/info.txt
> --- botan1.10-1.10.16/src/math/mp/mp_asm64/info.txt     2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/math/mp/mp_asm64/info.txt     2017-10-02
> 06:00:00.000000000 +0000
> @@ -8,10 +8,12 @@
>  </header:internal>
>
>  <arch>
> +aarch64
>  alpha
>  ia64
>  mips64
>  ppc64
> +ppc64le
>  sparc64
>  </arch>
>
> diff -Nru botan1.10-1.10.16/src/math/numbertheory/powm_mnt.cpp
> botan1.10-1.10.17/src/math/numbertheory/powm_mnt.cpp
> --- botan1.10-1.10.16/src/math/numbertheory/powm_mnt.cpp
> 2017-04-05 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/math/numbertheory/powm_mnt.cpp
> 2017-10-02 06:00:00.000000000 +0000
> @@ -68,6 +68,7 @@
>                         &workspace[0]);
>
>        g[i].assign(&z[0], mod_words + 1);
> +      g[i].grow_to(mod_words);
>        }
>     }
>
> @@ -81,6 +82,7 @@
>     BigInt x = R_mod;
>     SecureVector<word> z(2 * (mod_words + 1));
>     SecureVector<word> workspace(2 * (mod_words + 1));
> +   SecureVector<word> e(mod_words);
>
>     for(size_t i = exp_nibbles; i > 0; --i)
>        {
> @@ -98,12 +100,13 @@
>
>        const u32bit nibble = exp.get_substring(window_bits*(i-1),
> window_bits);
>
> -      const BigInt& y = g[nibble];
> -
>        zeroise(z);
> +
> +      BigInt::const_time_lookup(e, g, nibble);
> +
>        bigint_monty_mul(&z[0], z.size(),
>                         x.data(), x.size(), x.sig_words(),
> -                       y.data(), y.size(), y.sig_words(),
> +                       e.data(), e.size(), e.size(),
>                         modulus.data(), mod_words, mod_prime,
>                         &workspace[0]);
>
> diff -Nru botan1.10-1.10.16/src/utils/cpuid.cpp
> botan1.10-1.10.17/src/utils/cpuid.cpp
> --- botan1.10-1.10.16/src/utils/cpuid.cpp       2017-04-05
> 01:06:45.000000000 +0000
> +++ botan1.10-1.10.17/src/utils/cpuid.cpp       2017-10-02
> 06:00:00.000000000 +0000
> @@ -157,6 +157,9 @@
>     const u16bit PVR_G5_970GX = 0x0045;
>     const u16bit PVR_POWER6   = 0x003E;
>     const u16bit PVR_POWER7   = 0x003F;
> +   const u16bit PVR_POWER7p  = 0x004A;
> +   const u16bit PVR_POWER8   = 0x004D;
> +   const u16bit PVR_POWER8E  = 0x004B;
>     const u16bit PVR_CELL_PPU = 0x0070;
>
>     // Motorola produced G4s with PVR 0x800[0123C] (at least)
> @@ -177,6 +180,9 @@
>     altivec_capable |= (pvr == PVR_G5_970GX);
>     altivec_capable |= (pvr == PVR_POWER6);
>     altivec_capable |= (pvr == PVR_POWER7);
> +   altivec_capable |= (pvr == PVR_POWER7p);
> +   altivec_capable |= (pvr == PVR_POWER8);
> +   altivec_capable |= (pvr == PVR_POWER8E);
>     altivec_capable |= (pvr == PVR_CELL_PPU);
>  #endif
>
>


-- 
Ondřej Surý <ondrej@sury.org>

[Message part 2 (text/html, inline)]

Message #28 received at 877436-close@bugs.debian.org (full text, mbox, reply):

From: Christian Hofstaedtler <zeha@debian.org>

To: 877436-close@bugs.debian.org

Subject: Bug#877436: fixed in botan1.10 1.10.17-0.1

Date: Mon, 09 Oct 2017 11:48:44 +0000

Source: botan1.10
Source-Version: 1.10.17-0.1

We believe that the bug you reported is fixed in the latest version of
botan1.10, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 877436@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hofstaedtler <zeha@debian.org> (supplier of updated botan1.10 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Oct 2017 09:19:15 +0000
Source: botan1.10
Binary: botan1.10-dbg libbotan-1.10-1 libbotan1.10-dev
Architecture: source
Version: 1.10.17-0.1
Distribution: unstable
Urgency: medium
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Christian Hofstaedtler <zeha@debian.org>
Description:
 botan1.10-dbg - multiplatform crypto library (debug)
 libbotan-1.10-1 - multiplatform crypto library
 libbotan1.10-dev - multiplatform crypto library (development)
Closes: 877436
Changes:
 botan1.10 (1.10.17-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release 1.10.17 (Closes: #877436)
     + [CVE-2017-14737]: Side channel affecting modular exponentiation
     + Upstream has imported Debian architecture support patches, removed
       them.
Checksums-Sha1:
 0e5db86adc98c3b970a38d5c42f95fb3941f190e 2072 botan1.10_1.10.17-0.1.dsc
 b36541b441fb116caf068b6157ad7d01d71ecd2e 2706678 botan1.10_1.10.17.orig.tar.gz
 570dc6867cec64bf518391b4772675aaa4acc855 39232 botan1.10_1.10.17-0.1.debian.tar.xz
 ed63281a6bc5a5dbca0a9779d12e9c186284d73b 6043 botan1.10_1.10.17-0.1_source.buildinfo
Checksums-Sha256:
 e3f2946165c929faff2503b12c5e53c6a6b26456cb7b197026517a6c8c7cd4c0 2072 botan1.10_1.10.17-0.1.dsc
 6847ffb64b8d2f939dccfecc17bd2c80385d08f7621e2c56d3a335118e823613 2706678 botan1.10_1.10.17.orig.tar.gz
 6861f873066b0d809735b1820e05c93427054fe6f42d3f338e5b1bcac9641405 39232 botan1.10_1.10.17-0.1.debian.tar.xz
 3df4dde5a1c939c5695cc194089e64f96052de94b46a5ce03491d413a8dc0964 6043 botan1.10_1.10.17-0.1_source.buildinfo
Files:
 6305dbbb936095251404257ca05332f8 2072 libs optional botan1.10_1.10.17-0.1.dsc
 e5ed5dc70edd238c5a2116670b2cb3f3 2706678 libs optional botan1.10_1.10.17.orig.tar.gz
 8a211f35bea1ffb8696acecaf9f529de 39232 libs optional botan1.10_1.10.17-0.1.debian.tar.xz
 297f2a069ab5ee06c4b12ab5c5ae326d 6043 libs optional botan1.10_1.10.17-0.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlnbQsYQHHplaGFAZGVi
aWFuLm9yZwAKCRBcE9bbkwUuA0xpEACjEGS/3Df1XOj9kpjETxoUzZ+IjLmtimE1
9AdnYrP8NQCnEka1c5DFewk64/hCGW4SDPqxvvGwTrX6DRQsKYrcuzZFd+WJWmbl
mjvVvderpQbEOCezV2BL3gKj6cXU8rnT/wzreHBtODAkMX/onqu8YMAOX7HXHE8u
8GoNS7pak0TGozIqtyqBmomZGPWkZ5b5ZtGlrBY5tgYB4uCAZA51CEXlqPjgOTVG
GGbiS0zhgV9lUoLzX4tlgS+Hd6KeSPJspMdvyH9wD1wYrA0L5yCJ+Rj8A3RSKGv7
dn7yKWNv9pOiAHOsD7OOzhF5/0GdNByUJmIyYwJIdutZgL0lIYxUrSGUmH3TAuVl
5lSi8RpUciLUeFcR71xwqI9nzVrSUKzdwh4MAkw2QSkSApPUbFZYH35fqulO3VxO
GvZz8TV4DHmab3C6yq8/eOVm9QLZJDR2Syn6Fgl1rloVyir1F/4KQA/1Snt3mNIs
YO8z6+graHkq/3if7TMfyeGUBtCUxVaUgtzpeH4bIzz5mkWt1bdt8KCytO2g+Qh7
K166wcqtNkjb0smp8NSqqE63FsJkDC6TxwqV91DOB6X4rDAHLSzK4RWqYfaD9XD+
ra22QzAWfc2CvXRVgX0g0DVZZcWxUH+3CcrCcEnYDe4OKyQ0sQIKYkqwub+iK+A2
lYRV/+H1SA==
=uOOn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.