Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 811900 (CVE-2021-40528)

Summary: <dev-libs/libgcrypt-1.9.4: ElGamal plaintext recovery (CVE-2021-40528)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 817935    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:18:42 UTC 
CVE-2021-40528 (https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1, https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2)

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.


Please stabilize 1.9.4.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-28 15:59:26 UTC 
Please cleanup
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:36:57 UTC 
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-10-31 01:42:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e8a66a03a13ff76fb2733745a316822ef89c7e

commit 65e8a66a03a13ff76fb2733745a316822ef89c7e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:09:53 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-13 ] libgcrypt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/766213
    Bug: https://bugs.gentoo.org/795480
    Bug: https://bugs.gentoo.org/811900
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-13.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 01:51:22 UTC 
GLSA released, all done!