Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 811915 (CVE-2021-40530)

Summary: <dev-libs/crypto++-8.6.0: ElGamal plaintext recovery (CVE-2021-40530)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/weidai11/cryptopp/issues/1059
Whiteboard: B4 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 817932    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:44:37 UTC 
CVE-2021-40530 (https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1, https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2):

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.


No references to upstream in CVE references so not sure what needs to be done.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-25 18:36:23 UTC 
8.6.0 claims to finally fix this.