Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 85547
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
gnupg-compile-output.txt compile error on ppc64 text/plain Markus Rothe 2005-03-20 07:19 0000 49.25 KB Details
config.log config.log on ppc64 text/plain Markus Rothe 2005-03-23 03:04 0000 180.51 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 85547 depends on: Show dependency tree
Bug 85547 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-03-16 11:51 0000 
The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain
text from cipher text.  The timing difference appears as a side effect of the
so-called "quick scan" and is only exploitable on systems that accept an
arbitrary amount of cipher text for automatic decryption.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-03-16 11:58:51 0000 ------- 
CAN-2005-0366
Fixed in 1.2.8 and 1.4.1, patches @
http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html

Tavis / crypto herd: please bump ?

------- Comment #2 From Robin Johnson 2005-03-16 12:05:37 0000 ------- 
I'm working on a 1.4.1 ebuild already, should be available shortly.

------- Comment #3 From Robin Johnson 2005-03-16 14:36:27 0000 ------- 
1.4.1 is in the tree now.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-03-17 00:51:31 0000 ------- 
Arches, please test and (if possible) mark gnupg-1.4.1 stable. If you think we
rather need to include 1.2.8 (also fixed), please tell us too :)

------- Comment #5 From Robin Johnson 2005-03-17 01:10:36 0000 ------- 
FYI: Upstream has declared 1.4 as the stable line.

Although Koon noted 1.2.8 as released, it's not available on the upstream FTP presently.

------- Comment #6 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-17 09:57:14 0000 ------- 
Stable on ppc.

------- Comment #7 From Gustavo Zacarias (RETIRED) 2005-03-17 10:05:19 0000 ------- 
sparc stable.

------- Comment #8 From René Nussbaumer 2005-03-17 10:42:22 0000 ------- 
compiles and works.

------- Comment #9 From René Nussbaumer 2005-03-17 10:42:59 0000 ------- 
compiles and works for me on hppa I meant

------- Comment #10 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-17 10:45:48 0000 ------- 
Stable on hppa.

------- Comment #11 From Marcus D. Hanwell 2005-03-17 11:46:50 0000 ------- 
Stable on amd64.

------- Comment #12 From Robin Johnson 2005-03-17 16:47:08 0000 ------- 
x86 done.

------- Comment #13 From Hasan Khalil (RETIRED) 2005-03-17 18:47:41 0000 ------- 
ppc-macos done. Also put in a fix for collission-protect systems - currently
only applied if USE contains ppc-macos - that might better be done regardless
of keyword.

------- Comment #14 From Markus Rothe 2005-03-20 07:19:38 0000 ------- 
Created an attachment (id=53934) [details]
compile error on ppc64

this won't compile on ppc64. Output is attached.

I think we that 1.2.8 version koon mentioned before for ppc64.

------- Comment #15 From Thierry Carrez (RETIRED) 2005-03-22 14:01:41 0000 ------- 
Robin: would it be possible to patch the current 1.2.6 with the patches @
http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html to unblock
ppc64 ?

alpha: please test and mark stable

------- Comment #16 From Robin Johnson 2005-03-22 14:11:05 0000 ------- 
ppc64: could you please post your 'emerge info' and attach the config.log?
I saw this once while building the src_test stuff for gnupg, but it was just a bad  build (I didn't clean the dir properly).

------- Comment #17 From Bryan Østergaard (RETIRED) 2005-03-22 14:43:51 0000 ------- 
Stable on alpha.

------- Comment #18 From Thierry Carrez (RETIRED) 2005-03-23 00:32:28 0000 ------- 
I vote for a GLSA on this one.

------- Comment #19 From Markus Rothe 2005-03-23 03:04:46 0000 ------- 
Created an attachment (id=54216) [details]
config.log on ppc64

 # emerge --info
Portage 2.0.51.19 (default-linux/ppc64/2005.0, gcc-3.4.3,
glibc-2.3.4.20041102-r1, 2.6.9-gentoo-r9 ppc64)
=================================================================
System uname: 2.6.9-gentoo-r9 ppc64 PPC970, altivec supported
Gentoo Base System version 1.6.10
Python: 	     dev-lang/python-2.3.3-r2 [2.3.3 (#1, Mar 19 2005,
14:18:56)]
dev-lang/python:     2.3.3-r2
sys-devel/autoconf:  2.59-r6, 2.13
sys-devel/automake:  1.5, 1.6.3, 1.8.5-r3, 1.7.9-r1, 1.4_p6, 1.9.4
sys-devel/binutils:  2.15.90.0.3-r3
sys-devel/libtool:   1.5.10-r4
virtual/os-headers:  2.6.8.1-r2
ACCEPT_KEYWORDS="ppc64"
AUTOCLEAN="yes"
CFLAGS="-mcpu=G5 -O3 -pipe -fsigned-char -mabi=altivec"
CHOST="powerpc64-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env
/usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-mcpu=G5 -O3 -pipe -fsigned-char -mabi=altivec"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache cvs distlocks sandbox sfperms"
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X altivec apache2 audiofile bash-completion bcmath berkdb bitmap-fonts
bzip2 bzlib calendar cdb cdparanoia cdr cdrom chroot client crypt cups curl dba
dedicated dga dict dio divx4linux dv dvd dvdr dvdread encode exif fam fame
fbcon ffmpeg flac flatfile foomaticdb fortran fpx freetype ftp gcc-libffi gcj
gd gdbm gif gimp gimpprint glade gnokii gnuplot gnustep gphoto2 gpm graphviz gs
gstreamer gtk gtk2 iconv icq ieee1394 image imagemagick imap imlib2 ipv6
ipv6arpa jabber java javacomm javamail javascript jbig jpeg jpeg2k kde
kdeenablefinal kerberos latex libwww live maildir md5sum mhash mime mimencode
mixer mjpeg mng motif mozsvg mp3 mpeg mpeg4 mpi music native ncurses neXt nls
nocardbus nowin nptl nptlonly objc oggvorbis openal opengl openssh pam pdf
pdflib perl php physfs plotutils png pnp portaudio posix povray ppc64 ppds
procmail python qt quicktime quotas quotes radius readline rtc sasl sdk serial
server session silc slang smime sms sndfile sockets sounds spell ssl svg tcpd
tetex tga theora tidy tiff tools transcode truetype truetype-fonts type1-fonts
uml unicode uptimed usb v4l v4l2 vcd vhosts videos vidix vim wmf wxwindows
xanim xchatdccserver xchattext xine xml2 xmms xosd xpm xprint xscreensaver xsl
xv xvid xvmc zlib"
Unset:	ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY

 #

------- Comment #20 From Markus Rothe 2005-03-23 03:05:53 0000 ------- 
I forgot to say, that I already tried C(XX)FLAGS="-O2"...

------- Comment #21 From Sune Kloppenborg Jeppesen 2005-03-23 08:20:26 0000 ------- 
I vote YES for a GLSA on this one.

------- Comment #22 From Robin Johnson 2005-03-24 02:03:45 0000 ------- 
ppc64: could you please add --disable-asm to the configure options, and see if
gnupg builds and passes the src_test?
I think it should fix it for you.

------- Comment #23 From Markus Rothe 2005-03-24 12:45:11 0000 ------- 
robin: thx! that did the trick!

Stable on ppc64.

------- Comment #24 From Thierry Carrez (RETIRED) 2005-03-24 14:04:03 0000 ------- 
GLSA 200503-29
arm,ia64,s390 should mark stable to benefit from GLSA
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug