Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585382 - glsa-check gives false alarm GLSA 201606-04 for =app-crypt/gnupg-1.4.20 and =dev-libs/libgcrypt-1.6.5
Summary: glsa-check gives false alarm GLSA 201606-04 for =app-crypt/gnupg-1.4.20 and =...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-08 14:18 UTC by cilly
Modified: 2016-06-10 18:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description cilly 2016-06-08 14:18:53 UTC 
dev-libs/libgcrypt
     Available versions:  
     (11)   ~1.5.4-r101(11/11)
     (0)    1.5.5(0/11) 1.6.3-r4(0/20) ~1.6.3-r5(0/20) ~1.6.4(0/20) 1.6.5(0/20){tbz2} ~1.7.0(0/20)
       {doc static-libs +threads ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32"}
     Installed versions:  1.6.5{tbz2}(09:30:23 AM 04/15/2016)(threads -doc -static-libs ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32")
     Homepage:            http://www.gnupg.org/
     Description:         General purpose crypto library based on the code used in GnuPG

####
####

app-crypt/gnupg
     Available versions:  1.4.19 (~)1.4.20{tbz2} [m]2.0.26-r3 [m]2.0.28 [m]~2.0.29-r1 [m]~2.0.30 ~2.1.11-r1 ~2.1.12 {bzip2 curl doc +gnutls ldap mta nls readline selinux smartcard static tofu tools usb zlib}
     Installed versions:  1.4.20{tbz2}(08:51:06 AM 04/15/2016)(bzip2 curl nls readline usb zlib -ldap -mta -selinux -smartcard -static)
     Homepage:            http://www.gnupg.org/
     Description:         The GNU Privacy Guard, a GPL OpenPGP implementation

####
####

GLSA Summary report for host pluto.xxx.xxx
(Command was: /usr/lib/python-exec/python3.4/glsa-check --mail --quiet --nocolor affected)

201606-04 [N] GnuPG: Multiple vulnerabilities ( dev-libs/libgcrypt  app-crypt/gnupg )
             GLSA 201606-04: 
GnuPG: Multiple vulnerabilities              
============================================================================
Synopsis:          Multiple vulnerabilities have been found in GnuPG and
                  libgcrypt, the worst of which may allow a local attacker
                  to obtain confidential key information.
Announced on:      June 05, 2016
Last revised on:   June 05, 2016 : 01

Affected package:  dev-libs/libgcrypt
Affected archs:    All
Vulnerable:        <1.6.3-r4
Unaffected:        >=1.6.3-r4

Affected package:  app-crypt/gnupg
Affected archs:    All
Vulnerable:        <2.0.26-r3
Unaffected:        >=2.0.26-r3, >=~1.4.19


Related bugs:      534110, 541564, 541568

Background:        The GNU Privacy Guard, GnuPG, is a free replacement for
                  the PGP suite of cryptographic software.

Description:       Multiple vulnerabilities have been discovered in GnuPG
                  and libgcrypt, please review the CVE identifiers
                  referenced below for details.

Impact:            A local attacker could possibly cause a Denial of Service
                  condition. Side-channel attacks could be leveraged to
                  obtain key material.

Workaround:        There is no known workaround at this time.

Resolution:        All GnuPG 2 users should upgrade to the latest version:
                  # emerge --sync
                  # emerge --ask --oneshot --verbose
                  ">=app-crypt/gnupg-2.0.26-r3"

                  All GnuPG 1 users should upgrade to the latest version:
                  # emerge --sync
                  # emerge --ask --oneshot --verbose
                  ">=app-crypt/gnupg-1.4.19"

                  All libgcrypt users should upgrade to the latest version:
                  # emerge --sync
                  # emerge --ask --oneshot --verbose
                  ">=dev-libs/libgcrypt-1.6.3-r4"


References:       
                  CVE-2014-3591: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3591

                  CVE-2015-0837: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0837
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-10 18:12:46 UTC 
Thank you for the report. 


commit 4b6aa5109b7bdbb37436049eff6d360a2df8ee96
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Fri Jun 10 20:10:39 2016 +0200

    GLSA 201606-04: Fix false report for gnupg 1.4 series
    
    Adding forward gnupg 1.4 versions due to lower slot since
    it cause false vulnerability reports.
    
    Gentoo-Bug: 585382