new file mode 100644

@@ -0,0 +1,35 @@

+From e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116 Mon Sep 17 00:00:00 2001

+From: David Drysdale <drysdale@google.com>

+Date: Mon, 22 May 2017 10:54:10 +0100

+Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data

+

+Check that there is enough data for the required elements

+of an NAPTR record (2 int16, 3 bytes for string lengths)

+before processing a record.

+---

+ ares_parse_naptr_reply.c | 7 ++++++-

+ 1 file changed, 6 insertions(+), 1 deletion(-)

+

+diff --git a/ares_parse_naptr_reply.c b/ares_parse_naptr_reply.c

+index 11634df9847c..717d35577811 100644

+--- a/ares_parse_naptr_reply.c

+@@ -110,6 +110,12 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,

+           status = ARES_EBADRESP;

+           break;

+         }

++      /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */

++      if (rr_len < 7)

++        {

++          status = ARES_EBADRESP;

++          break;

++        }

+ 

+       /* Check if we are really looking at a NAPTR record */

+       if (rr_class == C_IN && rr_type == T_NAPTR)

+@@ -185,4 +191,3 @@ ares_parse_naptr_reply (const unsigned char *abuf, int alen,

+ 

+   return ARES_SUCCESS;

+ }

+-

+-- 

@@ -1,7 +1,7 @@

 Summary:        A library that performs asynchronous DNS operations

 Name:           c-ares

 Version:        1.12.0

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        MIT

 Group:          System Environment/Libraries

 Vendor:         VMware, Inc.

@@ -9,6 +9,7 @@ Distribution:   Photon

 URL:            http://c-ares.haxx.se/

 Source0:        http://c-ares.haxx.se/download/%{name}-%{version}.tar.gz

 %define sha1    c-ares=8abfce61d2d788fb60a3441d05275162a460cbed

+Patch0:         CVE-2017-1000381.patch

 BuildRequires:  autoconf

 BuildRequires:  automake

@@ -31,6 +32,7 @@ compile applications or shared objects that use c-ares.

 %prep

 %setup -q

+%patch0 -p1

 f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f

@@ -68,6 +70,8 @@ rm -rf $RPM_BUILD_ROOT

 %{_mandir}/man3/ares_*

 %changelog

+*   Tue Oct 17 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.12.0-2

+-   Fix CVE-2017-1000381

 *   Thu Jun 29 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.12.0-1

 -   Update c-ares to v1.12.0.

 *   Wed Oct 05 2016 Xiaolin Li <xiaolinl@vmware.com> 1.10.0-3

new file mode 100644

@@ -0,0 +1,152 @@

+From bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9 Mon Sep 17 00:00:00 2001

+From: NIIBE Yutaka <gniibe@fsij.org>

+Date: Fri, 25 Aug 2017 18:13:28 +0900

+Subject: [PATCH] ecc: Add input validation for X25519.

+

+* cipher/ecc.c (ecc_decrypt_raw): Add input validation.

+* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.

+(_gcry_mpi_ec_bad_point): New.

+

+--

+

+Following is the paper describing the attack:

+

+    May the Fourth Be With You: A Microarchitectural Side Channel Attack

+    on Real-World Applications of Curve25519

+    by Daniel Genkin, Luke Valenta, and Yuval Yarom

+

+In the current implementation, we do output checking and it results an

+error for those bad points.  However, when attacked, the computation

+will done with leak of private key, even it will results errors.  To

+mitigate leak, we added input validation.

+

+Note that we only list bad points with MSB=0.  By X25519, MSB is

+always cleared.

+

+In future, we should implement constant-time field computation.  Then,

+this input validation could be removed, if performance is important

+and we are sure for no leak.

+

+CVE-id: CVE-2017-0379

+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

+---

+ cipher/ecc.c | 17 +++++++++++++++--

+ mpi/ec.c     | 51 ++++++++++++++++++++++++++++++++++++++++++++++++---

+ src/mpi.h    |  1 +

+ 3 files changed, 64 insertions(+), 5 deletions(-)

+

+diff --git a/cipher/ecc.c b/cipher/ecc.c

+index e25bf09..4e3e5b1 100644

+--- a/cipher/ecc.c

+@@ -1628,9 +1628,22 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)

+   if (DBG_CIPHER)

+     log_printpnt ("ecc_decrypt    kG", &kG, NULL);

+ 

+-  if (!(flags & PUBKEY_FLAG_DJB_TWEAK)

++  if ((flags & PUBKEY_FLAG_DJB_TWEAK))

++    {

+       /* For X25519, by its definition, validation should not be done.  */

+-      && !_gcry_mpi_ec_curve_point (&kG, ec))

++      /* (Instead, we do output check.)

++       *

++       * However, to mitigate secret key leak from our implementation,

++       * we also do input validation here.  For constant-time

++       * implementation, we can remove this input validation.

++       */

++      if (_gcry_mpi_ec_bad_point (&kG, ec))

++        {

++          rc = GPG_ERR_INV_DATA;

++          goto leave;

++        }

++    }

++  else if (!_gcry_mpi_ec_curve_point (&kG, ec))

+     {

+       rc = GPG_ERR_INV_DATA;

+       goto leave;

+diff --git a/mpi/ec.c b/mpi/ec.c

+index a0f7357..4c16603 100644

+--- a/mpi/ec.c

+@@ -396,6 +396,29 @@ ec_get_two_inv_p (mpi_ec_t ec)

+ }

+ 

+ 

++static const char *curve25519_bad_points[] = {

++  "0x0000000000000000000000000000000000000000000000000000000000000000",

++  "0x0000000000000000000000000000000000000000000000000000000000000001",

++  "0x00b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0",

++  "0x57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f",

++  "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec",

++  "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed",

++  "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee",

++  NULL

++};

++

++static gcry_mpi_t

++scanval (const char *string)

++{

++  gpg_err_code_t rc;

++  gcry_mpi_t val;

++

++  rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);

++  if (rc)

++    log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc));

++  return val;

++}

++

+ 

+ /* This function initialized a context for elliptic curve based on the

+    field GF(p).  P is the prime specifying this field, A is the first

+@@ -434,9 +457,17 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,

+ 

+   _gcry_mpi_ec_get_reset (ctx);

+ 

+-  /* Allocate scratch variables.  */

+-  for (i=0; i< DIM(ctx->t.scratch); i++)

+-    ctx->t.scratch[i] = mpi_alloc_like (ctx->p);

++  if (model == MPI_EC_MONTGOMERY)

++    {

++      for (i=0; i< DIM(ctx->t.scratch) && curve25519_bad_points[i]; i++)

++        ctx->t.scratch[i] = scanval (curve25519_bad_points[i]);

++    }

++  else

++    {

++      /* Allocate scratch variables.  */

++      for (i=0; i< DIM(ctx->t.scratch); i++)

++        ctx->t.scratch[i] = mpi_alloc_like (ctx->p);

++    }

+ 

+   /* Prepare for fast reduction.  */

+   /* FIXME: need a test for NIST values.  However it does not gain us

+@@ -1572,3 +1603,17 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)

+ 

+   return res;

+ }

++

++

++int

++_gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx)

++{

++  int i;

++  gcry_mpi_t x_bad;

++

++  for (i = 0; (x_bad = ctx->t.scratch[i]); i++)

++    if (!mpi_cmp (point->x, x_bad))

++      return 1;

++

++  return 0;

++}

+diff --git a/src/mpi.h b/src/mpi.h

+index b5385b5..aeba7f8 100644

+--- a/src/mpi.h

+@@ -296,6 +296,7 @@ void _gcry_mpi_ec_mul_point (mpi_point_t result,

+                              gcry_mpi_t scalar, mpi_point_t point,

+                              mpi_ec_t ctx);

+ int  _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx);

++int _gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx);

+ 

+ gcry_mpi_t _gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ectx);

+ 

+-- 

@@ -1,11 +1,12 @@

 Summary:	Crypto Libraries

 Name:		libgcrypt

 Version:	1.7.6

-Release:	1%{?dist}

+Release:	2%{?dist}

 License:        GPLv2+ and LGPLv2+

 URL:            http://www.gnu.org/software/libgcrypt/

 Source0:        ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2

 %define sha1 libgcrypt=d2b9e0f413064cfc67188f80d3cbda887c755a62

+Patch0:         CVE-2017-0379.patch

 Group:		System Environment/Libraries

 Vendor:		VMware, Inc.

 BuildRequires:	libgpg-error

@@ -27,6 +28,7 @@ that use libgcrypt.

 %prep

 %setup -q

+%patch0 -p1

 %build

 ./configure \

@@ -57,6 +59,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 /usr/share/aclocal/libgcrypt.m4

 %changelog

+*	Tue Oct 17 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.7.6-2

+-	Fix CVE-2017-0379

 *       Mon Apr 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.7.6-1

 -       Update to 1.7.6 to fix CVE-2016-6313.

 *	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.6.5-2

@@ -1,15 +1,15 @@

 Summary:	Libraries for terminal handling of character screens

 Name:		ncurses

 Version:	6.0

-Release:	6%{?dist}

+Release:	7%{?dist}

 License:	MIT

-URL:		http://www.gnu.org/software/ncurses

+URL:		http://invisible-island.net/ncurses/

 Group:		Applications/System

 Vendor:		VMware, Inc.

 Distribution: 	Photon

-Source0:	ftp://ftp.gnu.org/gnu/ncurses/%{name}-%{version}.tar.gz

-%define sha1 ncurses=acd606135a5124905da770803c05f1f20dd3b21c

-Patch0:		CVE-2017-10684-CVE-2017-10685.patch

+%global ncursessubversion 20171007

+Source0:	ftp://ftp.invisible-island.net/ncurses/current/%{name}-%{version}-20171007.tgz

+%define sha1 ncurses=527be8da26f04f50c1d659e972fa7d0b762c3a80

 Provides:       libncurses.so.6()(64bit)

 %description

 The Ncurses package contains libraries for terminal-independent

@@ -26,13 +26,13 @@ compatibility.

 %package	devel

 Summary:	Header and development files for ncurses

-Requires:	%{name} = %{version}

+Requires:	%{name} = %{version}-%{release}

 Provides:	pkgconfig(ncurses)

 %description	devel

 It contains the libraries and header files to create applications 

 %prep

-%setup -q

-%patch0 -p1

+%setup -q -n %{name}-%{version}-%{ncursessubversion}

+

 %build

 mkdir v6

 pushd v6

@@ -155,6 +155,8 @@ ln -sv %{_lib}/libncursesw.so.5.9 %{buildroot}%{_libdir}/libncurses.so.5

 %{_libdir}/libpanel.so

 %{_libdir}/libmenu.so

 %changelog

+*   Tue Oct 17 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.0-7

+-   Update to 6.0-7. Fix CVE-2017-13728

 *   Fri Sep 15 2017 Xiaolin Li <xiaolinl@vmware.com> 6.0-6

 -   ncurses-devel provides pkgconfig(ncurses)

 *   Thu Jul 06 2017 Dheeraj Shetty <dheerajs@vmware.com> 6.0-5