Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478184 (CVE-2013-4242) - <app-crypt/gnupg-1.4.14, <dev-libs/libgcrypt-1.5.3: Flush+Reload cache side-channel attack on RSA secret keys (CVE-2013-4242)
Summary: <app-crypt/gnupg-1.4.14, <dev-libs/libgcrypt-1.5.3: Flush+Reload cache side-c...
Status: RESOLVED FIXED
Alias: CVE-2013-4242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-25 23:34 UTC by Arfrever Frehtes Taifersar Arahesis
Modified: 2014-02-21 16:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis 2013-07-25 23:34:33 UTC 
dev-libs/libgcrypt-1.5.3:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html

app-crypt/gnupg-1.4.14:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
Comment 1 Tim Harder gentoo-dev 2013-07-26 00:53:27 UTC 
Arches, please stabilize:
=dev-libs/libgcrypt-1.5.3
Target keywords: alpha,amd64,arm,hppa,ia64,m68k,ppc,ppc64,s390,sh,sparc,x86

and 

=app-crypt/gnupg-1.4.14
Target keywords: alpha,amd64,arm,hppa,ia64,ppc,ppc64,s390,sh,sparc,x86
Comment 2 Agostino Sarubbo gentoo-dev 2013-07-26 16:20:55 UTC 
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-27 14:11:29 UTC 
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-27 22:04:16 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-28 13:37:10 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-28 19:44:49 UTC 
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-30 12:31:25 UTC 
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-04 11:46:45 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-08-04 13:41:36 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-06 12:33:10 UTC 
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-08 12:29:35 UTC 
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-08 12:37:21 UTC 
sh stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:57:05 UTC 
CVE-2013-4242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4242):
  GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and
  possibly other products, allows local users to obtain private RSA keys via a
  cache side-channel attack involving the L3 cache, aka Flush+Reload.
Comment 14 Sergey Popov gentoo-dev 2013-08-29 10:50:08 UTC 
GLSA vote: yes
Comment 15 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 14:22:26 UTC 
m68k gone from stable, removing from CC. @maintainers: clean affected, please. GLSA vote: yes, added to existing draft.
Comment 16 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-22 17:10:40 UTC 
crypto done
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-14 11:58:47 UTC 
This is A for libgcrypt
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 06:38:05 UTC 
Maintainer(s), please drop the vulnerable version.

<dev-libs/libgcrypt-1.5.3

Thank you for cleaning up gnupg!
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-07 21:04:33 UTC 
Cleanup's apparently been done.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:28 UTC 
This issue was resolved and addressed in
 GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml
by GLSA coordinator Chris Reffett (creffett).