Summary: | GnuPG ElGamal keys might get compromised | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | fbusse |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | taviso |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Patch against GnuPG 1.2.3 |
Description
fbusse
2003-11-27 02:07:30 UTC
Created attachment 21353 [details, diff]
Patch against GnuPG 1.2.3
Here's the GNUpg piper mail message: http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html lets be very specific in *what* keys might get compromised elgamal isnt very widely used so no point in making a lot of people freak out here is the announcement of the patch: <http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html> perhaps we should just include it until 'the next version' is released? Rajiv, Have you had a chance to patch this yet? taviso patched this in gnupg-1.2.3-r4.ebuild on 11/29/2003. glsa 200312-05 <http://www.gentoo.org/security/en/glsa/glsa-200312-05.xml> sent as: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200312-05 - -------------------------------------------------------------------------- GLSA: 200312-05 Package: app-crypt/gnupg Summary: GnuPG ElGamal signing keys compromised and format string vulnerability Severity: minimal Gentoo bug: 34504, 35639 Date: 2003-12-12 CVE: CAN-2003-0971, CAN-2003-0978 Exploit: unknown Affected: <=1.2.3-r4 Fixed: >=1.2.3-r5 DESCRIPTION: Two flaws have been found in GnuPG 1.2.3. First, ElGamal signing keys can be compromised. These keys are not commonly used. Quote from <http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>: "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds." Second, there is a format string flaw in the 'gpgkeys_hkp' utility which "would allow a malicious keyserver in the worst case to execute an arbitrary code on the user's machine." See <http://www.s-quadra.com/advisories/Adv-20031203.txt> for details. SOLUTION: All users who have created ElGamal signing keys should immediately revoke them. Then, all Gentoo Linux machines with gnupg installed should be updated to use gnupg-1.2.3-r5 or higher. emerge sync emerge -pv '>=app-crypt/gnupg-1.2.3-r5' emerge '>=app-crypt/gnupg-1.2.3-r5' emerge clean // end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/2XUCnt0v0zAqOHYRAlrEAJwNpCuOGrcBcjKnC/c/F3AOxsTX3gCfU9ah 0gaONEybmmq0x4/vJheoXwg= =F5DR -----END PGP SIGNATURE----- |