Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478184 (CVE-2013-4242) - <app-crypt/gnupg-1.4.14, <dev-libs/libgcrypt-1.5.3: Flush+Reload cache side-channel attack on RSA secret keys (CVE-2013-4242)
Summary: <app-crypt/gnupg-1.4.14, <dev-libs/libgcrypt-1.5.3: Flush+Reload cache side-c...
Alias: CVE-2013-4242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa]
Depends on:
Reported: 2013-07-25 23:34 UTC by Arfrever Frehtes Taifersar Arahesis
Modified: 2014-02-21 16:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis 2013-07-25 23:34:33 UTC

Comment 1 Tim Harder gentoo-dev 2013-07-26 00:53:27 UTC
Arches, please stabilize:
Target keywords: alpha,amd64,arm,hppa,ia64,m68k,ppc,ppc64,s390,sh,sparc,x86


Target keywords: alpha,amd64,arm,hppa,ia64,ppc,ppc64,s390,sh,sparc,x86
Comment 2 Agostino Sarubbo gentoo-dev 2013-07-26 16:20:55 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-27 14:11:29 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-27 22:04:16 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-28 13:37:10 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-28 19:44:49 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-30 12:31:25 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-04 11:46:45 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-08-04 13:41:36 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-06 12:33:10 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-08 12:29:35 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-08 12:37:21 UTC
sh stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:57:05 UTC
CVE-2013-4242 (
  GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and
  possibly other products, allows local users to obtain private RSA keys via a
  cache side-channel attack involving the L3 cache, aka Flush+Reload.
Comment 14 Sergey Popov gentoo-dev 2013-08-29 10:50:08 UTC
GLSA vote: yes
Comment 15 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 14:22:26 UTC
m68k gone from stable, removing from CC. @maintainers: clean affected, please. GLSA vote: yes, added to existing draft.
Comment 16 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-22 17:10:40 UTC
crypto done
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-14 11:58:47 UTC
This is A for libgcrypt
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 06:38:05 UTC
Maintainer(s), please drop the vulnerable version.


Thank you for cleaning up gnupg!
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-07 21:04:33 UTC
Cleanup's apparently been done.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:28 UTC
This issue was resolved and addressed in
 GLSA 201402-24 at
by GLSA coordinator Chris Reffett (creffett).