Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478184 (CVE-2013-4242) - <app-crypt/gnupg-1.4.14, <dev-libs/libgcrypt-1.5.3: Flush+Reload cache side-channel attack on RSA secret keys (CVE-2013-4242)
Summary: <app-crypt/gnupg-1.4.14, <dev-libs/libgcrypt-1.5.3: Flush+Reload cache side-c...
Status: RESOLVED FIXED
Alias: CVE-2013-4242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-25 23:34 UTC by Arfrever Frehtes Taifersar Arahesis
Modified: 2014-02-21 16:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis 2013-07-25 23:34:33 UTC
dev-libs/libgcrypt-1.5.3:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html

app-crypt/gnupg-1.4.14:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
Comment 1 Tim Harder gentoo-dev 2013-07-26 00:53:27 UTC
Arches, please stabilize:
=dev-libs/libgcrypt-1.5.3
Target keywords: alpha,amd64,arm,hppa,ia64,m68k,ppc,ppc64,s390,sh,sparc,x86

and 

=app-crypt/gnupg-1.4.14
Target keywords: alpha,amd64,arm,hppa,ia64,ppc,ppc64,s390,sh,sparc,x86
Comment 2 Agostino Sarubbo gentoo-dev 2013-07-26 16:20:55 UTC
amd64 stable
Comment 3 Jeroen Roovers gentoo-dev 2013-07-27 14:11:29 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-27 22:04:16 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-28 13:37:10 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-28 19:44:49 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-30 12:31:25 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-04 11:46:45 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-08-04 13:41:36 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-06 12:33:10 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-08 12:29:35 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-08 12:37:21 UTC
sh stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:57:05 UTC
CVE-2013-4242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4242):
  GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and
  possibly other products, allows local users to obtain private RSA keys via a
  cache side-channel attack involving the L3 cache, aka Flush+Reload.
Comment 14 Sergey Popov gentoo-dev 2013-08-29 10:50:08 UTC
GLSA vote: yes
Comment 15 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 14:22:26 UTC
m68k gone from stable, removing from CC. @maintainers: clean affected, please. GLSA vote: yes, added to existing draft.
Comment 16 Alon Bar-Lev gentoo-dev 2013-10-22 17:10:40 UTC
crypto done
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-14 11:58:47 UTC
This is A for libgcrypt
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-30 06:38:05 UTC
Maintainer(s), please drop the vulnerable version.

<dev-libs/libgcrypt-1.5.3

Thank you for cleaning up gnupg!
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-07 21:04:33 UTC
Cleanup's apparently been done.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:28 UTC
This issue was resolved and addressed in
 GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml
by GLSA coordinator Chris Reffett (creffett).