Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 693108 (CVE-2019-13627) - <dev-libs/libgcrypt-1.8.5: ECDSA timing attack in the libgcrypt20 cryptographic library (CVE-2019-13627)
Summary: <dev-libs/libgcrypt-1.8.5: ECDSA timing attack in the libgcrypt20 cryptograp...
Status: RESOLVED FIXED
Alias: CVE-2019-13627
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-30 08:52 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2020-06-20 00:57 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/libgcrypt-1.8.5
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-08-30 08:52:00 UTC 
Hi!

The GnuPG Project is pleased to announce the availability of Libgcrypt
version 1.8.5.  This release fixes an ECDSA side-channel attack.

Libgcrypt is a general purpose library of cryptographic building blocks.
It is originally based on code used by GnuPG.  It does not provide any
implementation of OpenPGP or other protocols.  Thorough understanding of
applied cryptography is required to use Libgcrypt.


Noteworthy changes in version 1.8.5
===================================

 * Bug fixes:

   - Add mitigation against an ECDSA timing attack.
     [T4626,CVE-2019-13627]

   - Improve ECDSA unblinding.

 * Other features:

   - Provide a pkg-config file for libgcrypt.

 Release-info: https://dev.gnupg.org/T4683
Comment 1 Larry the Git Cow gentoo-dev 2019-08-30 09:00:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7dcf27c125de973322f6b2199731e689837d714b

commit 7dcf27c125de973322f6b2199731e689837d714b
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2019-08-30 08:59:15 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2019-08-30 08:59:43 +0000

    dev-libs/libgcrypt: New upstream version 1.8.5
    
    Bug: https://bugs.gentoo.org/693108
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org>

 dev-libs/libgcrypt/Manifest               |  1 +
 dev-libs/libgcrypt/libgcrypt-1.8.5.ebuild | 76 +++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-10-13 08:28:09 UTC 
Arches, please stabilize dev-libs/libgcrypt-1.8.5
Comment 3 Matt Turner gentoo-dev 2019-10-14 03:51:48 UTC 
alpha stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-14 09:53:28 UTC 
s390 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-14 11:08:38 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-14 11:16:54 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-14 11:25:38 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-14 11:31:52 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-10-14 11:50:43 UTC 
x86 stable
Comment 10 Rolf Eike Beer archtester 2019-10-24 22:14:39 UTC 
hppa stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:36:53 UTC 
arm stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-11-06 23:15:17 UTC 
arm64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2019-11-13 13:17:23 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:22:33 UTC 
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 19:33:02 UTC 
This issue was resolved and addressed in
 GLSA 202003-32 at https://security.gentoo.org/glsa/202003-32
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:33:31 UTC 
Re-opening for remaining architectures.
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:08:01 UTC 
SuperH port disbanded.
Comment 18 Sergei Trofimovich (RETIRED) gentoo-dev 2020-04-21 07:49:20 UTC 
m68k dropped stable keywords
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 07:52:16 UTC 
@maintainer(s), please cleanup
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 21:16:39 UTC 
CVE-2019-12904 (https://nvd.nist.gov/vuln/detail/CVE-2019-12904):
  In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a
  flush-and-reload side-channel attack because physical addresses are
  available to other processes. (The C implementation is used on platforms
  where an assembly-language implementation is unavailable.)
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:37:12 UTC 
@maintainer(s), ping, please cleanup
Comment 22 Larry the Git Cow gentoo-dev 2020-06-20 00:56:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8523b6a86cb32972ea1f06e2bab05a89e9e4157

commit b8523b6a86cb32972ea1f06e2bab05a89e9e4157
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 00:55:44 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 00:56:05 +0000

    dev-libs/libgcrypt: drop vulnerable
    
    Bug: https://bugs.gentoo.org/693108
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-libs/libgcrypt/Manifest                  |  2 -
 dev-libs/libgcrypt/libgcrypt-1.8.3-r1.ebuild | 75 ----------------------------
 dev-libs/libgcrypt/libgcrypt-1.8.3.ebuild    | 74 ---------------------------
 dev-libs/libgcrypt/libgcrypt-1.8.4.ebuild    | 75 ----------------------------
 4 files changed, 226 deletions(-)