| Summary: | <dev-libs/libgcrypt-1.7.7: Possible timing attack on EdDSA session key | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | crypto+disabled, k_f |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1459887 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
dev-libs/libgcrypt-1.7.7 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
|
Runtime testing required: | --- |
| Bug Depends on: | 623006 | ||
| Bug Blocks: | |||
amd64 stable x86 stable sparc stable ia64 stable arm stable ppc64 stable Stable on alpha. ppc stable GLSA Vote: No We got bug 623006 now, so adding this to same glsa as that one EdDSA is only used by gnupg in --expert mode and is not defined in official OpenPGP standard yet, so impact is particular in nature. Originally noglsa but changed pending bug 623006, which is now also designated noglsa. Waiting for hppa in bug 623006 and cleanup |
From ${URL} : An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long-term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library. Upstream fixes: master: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b 1.7.x: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.