Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 494658 (CVE-2013-4576) - <app-crypt/gnupg-1.4.16: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack (CVE-2013-4576)
Summary: <app-crypt/gnupg-1.4.16: RSA Key Extraction via Low-Bandwidth Acoustic Cry...
Status: RESOLVED FIXED
Alias: CVE-2013-4576
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.gnupg.org/pipermail/gnup...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-18 17:01 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-02-21 16:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2013-12-18 17:01:10 UTC
Along with the publication of an interesting new side channel attack by
Daniel Genkin, Adi Shamir, and Eran Tromer we announce the availability
of a new stable GnuPG release to relieve this bug: Version 1.4.16.

This is a *security fix* release and all users of GnuPG versions 1.x are
advised to updated to this version.  GnuPG versions 2.x are not
affected.  See below for the impact of the problem.

See also http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048500.html

Reproducible: Always
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2013-12-18 17:03:41 UTC
Forgot to add link to the actual paper in the initial report: From the CHANGELOG: 
 * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic
   Cryptanalysis attack as described by Genkin, Shamir, and Tromer.
   See <http://www.cs.tau.ac.il/~tromer/acoustic/>.  [CVE-2013-4576]
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2013-12-18 20:14:26 UTC
Added
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-19 07:42:47 UTC
(In reply to Alon Bar-Lev from comment #2)
> Added

ready for stabilization?
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2013-12-19 15:45:17 UTC
(In reply to Mikle Kolyada from comment #3)
> (In reply to Alon Bar-Lev from comment #2)
> > Added
> 
> ready for stabilization?

well... the diff between versions is not trivial.

 * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic
   Cryptanalysis attack as described by Genkin, Shamir, and Tromer.
   See <http://www.cs.tau.ac.il/~tromer/acoustic/>.  [CVE-2013-4576]

 * Put only the major version number by default into armored output.
^^^^ I am unsure about impact.

 * Do not create a trustdb file if --trust-model=always is used.

 * Print the keyid for key packets with --list-packets.

 * Changed modular exponentiation algorithm to recover from a small
   performance loss due to a change in 1.4.14.
^^^^ not trivial at all.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2013-12-19 16:03:00 UTC
If you are more comfortable with a patchset it should be able to fix the issue in the CVE by the application of two patches from upstream: 
(i) http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=93a96e3c0c33370248f6570d8285c4e811d305d4 , and 
(ii) http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d0d72d98f34579213230b3febfebd2fd8dff272b

Note: I haven't tested that cherry-picking only these two actually compiles, but those are the ones that should be relevant for the CVE, and I know that a similar approach has been used by Debian ( you can e.g. see dsc diff at http://packages.debian.org/squeeze/gnupg for 1.4.10-4+squeeze4)
Comment 6 Alon Bar-Lev (RETIRED) gentoo-dev 2013-12-19 16:08:44 UTC
I think we should give some time for people to test.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-23 10:37:36 UTC
added to existing glsa draft
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2013-12-24 14:12:26 UTC
It has been about a week. Do we need more time for testing? Or are we ready to stable the package.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 01:42:09 UTC
CVE-2013-4576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4576):
  GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions
  with certain patterns that introduce a side channel, which allows
  physically-proximate attackers to extract RSA keys via a chosen-ciphertext
  attack and acoustic cryptanalysis during decryption. NOTE: applications are
  not typically expected to protect themselves from acoustic side-channel
  attacks, since this is arguably the responsibility of the physical device.
  Accordingly, issues of this type would not normally receive a CVE
  identifier. However, for this issue, the developer has specified a security
  policy in which GnuPG should offer side-channel resistance, and
  developer-specified security-policy violations are within the scope of CVE.
Comment 10 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-07 21:06:59 UTC
Maintainer timeout. Arches, please test and stabilize:
=app-crypt/gnupg-1.4.16
Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86. Thanks!
Comment 11 Steev Klimaszewski (RETIRED) gentoo-dev 2014-02-07 21:56:33 UTC
(In reply to Chris Reffett from comment #10)
> Maintainer timeout. Arches, please test and stabilize:
> =app-crypt/gnupg-1.4.16
> Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86. Thanks!

I don't quite understand this one - gnupg isn't slotted - and at least on arm, 2.0+ is already stable.  Is there really a reason to go back and install/stable 1.4.16, since it will just bump to 2.x on the next upgrade cycle?
Comment 12 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-02-07 22:07:11 UTC
As one of the crypto herd, yes, there is still a point to have stable releases in the 1.4.x series: it's used in some scripting cases where the 2.0 changes didn't quite work out. When 2.1 comes out, I'm hoping that's different.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-02-07 22:13:07 UTC
I'd rather expect a 1.5 series based on libgcrypt but not the additional library dependencies (libassuan -> pinentry, gpg-agent, etc) as a replacement. Granted that is more of a question of whether gnupg should be slotted than related to this bug per se. 

Fwiw, Werner suggested a 2.1 release before summer this year during FOSDEM (but that wouldn't replace a 1.4/1.5, only the 2.0 series)
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2014-02-07 22:14:59 UTC
The only reason to use 1.4 series is for static and/or monolithic configurations. I am not aware of any functionality lose in 2.x.
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-02-07 22:22:10 UTC
@alon: 2.x does indeed add functionality (in particular related to gpgsm)  but it also add dependency complexity. There are several users that want to stick to 1.4/1.5 to avoid gpg-agent and pinentry e.g. for server systems. Granted 2.1. offers pinentry-mode=loopback, but as this isn't isn't in the main branches yet, e.g. automatic scripts still prefer 1.4/1.5.
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-08 12:37:52 UTC
Stable for HPPA.
Comment 17 Agostino Sarubbo gentoo-dev 2014-02-08 19:47:45 UTC
amd64 stable
Comment 18 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-02-09 03:20:07 UTC
x86 stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-02-09 08:19:01 UTC
ppc stable
Comment 20 Agostino Sarubbo gentoo-dev 2014-02-09 08:23:50 UTC
ppc64 stable
Comment 21 Agostino Sarubbo gentoo-dev 2014-02-09 08:27:07 UTC
sparc stable
Comment 22 Markus Meier gentoo-dev 2014-02-14 19:19:48 UTC
arm stable
Comment 23 Agostino Sarubbo gentoo-dev 2014-02-16 07:35:03 UTC
alpha stable
Comment 24 Agostino Sarubbo gentoo-dev 2014-02-16 12:05:43 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 25 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-16 12:07:24 UTC
Added to existing glsa deaft already.
Comment 26 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-21 15:33:26 UTC
Cleanup done by alonbl
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:38 UTC
This issue was resolved and addressed in
 GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml
by GLSA coordinator Chris Reffett (creffett).