aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Fabrice Fontaine <fontaine.fabrice@gmail.com>2020-12-20 18:55:56 +0100
committerGravatar Peter Korsgaard <peter@korsgaard.com>2020-12-22 11:53:25 +0100
commita0e2723447160b9846ed98118d07e9cb2bc48fa1 (patch)
treea60ef08cbb5b84cc9e1dbab2d03a00f790e24cf9
parentd407dcd1044ca7751c4046fcb6c69a2cc99b92b1 (diff)
downloadbuildroot-a0e2723447160b9846ed98118d07e9cb2bc48fa1.tar.gz
buildroot-a0e2723447160b9846ed98118d07e9cb2bc48fa1.tar.bz2
package/cryptopp: security bump to version 8.3.0
- Fix CVE-2019-14318: Crypto++ 8.2.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information. For details, see: https://github.com/weidai11/cryptopp/issues/869 - Update license hash due to the addition of ARM SHA1 and SHA256 asm implementation from Cryptogams https://github.com/weidai11/cryptopp/commit/1a63112faf5af60e0ebcc60654eef806e7f6f11a https://github.com/weidai11/cryptopp/commit/4c9ca6b723b5ec5aab7eec720ad4d22598abe941 https://www.cryptopp.com/release830.html [Peter: adjust CVE info, issue is fixes in 8.3.0] Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e7c789d48fe10265a392a7af42cf3439a7c726c9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/cryptopp/cryptopp.hash6
-rw-r--r--package/cryptopp/cryptopp.mk2
2 files changed, 4 insertions, 4 deletions
diff --git a/package/cryptopp/cryptopp.hash b/package/cryptopp/cryptopp.hash
index c0d442a97b..2774dc70ec 100644
--- a/package/cryptopp/cryptopp.hash
+++ b/package/cryptopp/cryptopp.hash
@@ -1,5 +1,5 @@
-# Hash from: https://www.cryptopp.com/release820.html:
-sha256 03f0e2242e11b9d19b28d0ec5a3fa8ed5cc7b27640e6bed365744f593e858058 cryptopp820.zip
+# Hash from: https://www.cryptopp.com/release830.html:
+sha512 ad5219a66c5924d330d3646d0ff996dd235006f6812074bc4eb9e8c662a4f000ba20449d377f24b133d19ce682f7b2a3b2eb4c08857ce0f5bb39743d1d425147 cryptopp830.zip
# Hash for license file:
-sha256 f29d65ae3f0c8e327284f193524643ffb4d682fcca3e1740a5c6cbab0e720583 License.txt
+sha256 e668af8c73a38a66a1e8951d14ec24e7582fee5254dd6c3dae488a416d105d5f License.txt
diff --git a/package/cryptopp/cryptopp.mk b/package/cryptopp/cryptopp.mk
index f1d19386ab..c1b8aaa44c 100644
--- a/package/cryptopp/cryptopp.mk
+++ b/package/cryptopp/cryptopp.mk
@@ -4,7 +4,7 @@
#
################################################################################
-CRYPTOPP_VERSION = 8.2.0
+CRYPTOPP_VERSION = 8.3.0
CRYPTOPP_SOURCE = cryptopp$(subst .,,$(CRYPTOPP_VERSION)).zip
CRYPTOPP_SITE = https://cryptopp.com
CRYPTOPP_LICENSE = BSL-1.0, BSD-3-Clause (CRYPTOGAMS), Public domain (ChaCha SSE2 and AVX)