Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 766213 - <dev-libs/libgcrypt-1.9.0: Multiple vulnerabilities
Summary: <dev-libs/libgcrypt-1.9.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.gnupg.org/pipermail/gnu...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: CVE-2021-3345
Blocks:
  Show dependency tree
 
Reported: 2021-01-19 23:19 UTC by John Helmert III
Modified: 2022-10-31 02:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-19 23:19:32 UTC
libgcrypt 1.9 appears to have a few security fixes:

   - Fix infinite loop due to applications using fork the wrong
     way.  [#3491][also in 1.8.4]
   - Fix possible leak of a few bits of secret primes to pageable
     memory.  [#3848][also in 1.8.4]
   - Fix possible hang in the RNG (1.8.3 only).  [#4034][also in 1.8.4]
   - Use blinding for ECDSA signing to mitigate a novel side-channel
     attack.  [#4011,CVE-2018-0495] [also in 1.8.3, 1.7.10]
   - Fix rare assertion failure in gcry_prime_check.  [also in 1.8.3]
   - Add mitigation against ECC timing attack CVE-2019-13626.  [#4626]

The CVE here was CVE-2019-13627 according to the upstream issue, not CVE-2019-13626.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2021-01-20 08:19:50 UTC
Just to be clear here, CVE-2019-13627 seems to be the only fix that is not in currently available versions in Gentoo. We have 1.8.6 in stable and 1.8.7 in unstable.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 09:01:02 UTC
1.9.0 is in the tree
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 20:17:24 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 20:17:44 UTC
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 20:18:09 UTC
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 20:53:48 UTC
arm64 done
Comment 7 NATTkA bot gentoo-dev 2021-01-29 09:04:55 UTC Comment hidden (obsolete)
Comment 8 Larry the Git Cow gentoo-dev 2021-01-29 13:19:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d554d368f2cc68c944b92c2a64be391ca272eac1

commit d554d368f2cc68c944b92c2a64be391ca272eac1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-29 13:10:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-29 13:10:07 +0000

    dev-libs/libgcrypt: (security) bump to 1.9.1
    
    This includes a critical security fix on 1.9.0 (currently masked).
    
    Note that the mask on 1.9.0 currently forces a downgrade
    to the safe 1.8.x series.
    
    Bug: https://bugs.gentoo.org/767814
    Bug: https://bugs.gentoo.org/766213
    Closes: https://bugs.gentoo.org/766423
    Closes: https://bugs.gentoo.org/766429
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libgcrypt/Manifest                                          | 2 +-
 .../libgcrypt/{libgcrypt-1.9.0.ebuild => libgcrypt-1.9.1.ebuild}     | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)
Comment 9 NATTkA bot gentoo-dev 2021-01-29 13:21:03 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-01-29 13:36:55 UTC Comment hidden (obsolete)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 20:47:01 UTC
We'll just GLSA it with the other one.
Comment 12 NATTkA bot gentoo-dev 2021-01-29 20:48:53 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-04-01 20:11:34 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-04-02 00:00:26 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:24:26 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 17:32:56 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 17:40:47 UTC Comment hidden (obsolete)
Comment 18 NATTkA bot gentoo-dev 2021-07-29 17:48:58 UTC Comment hidden (obsolete)
Comment 19 NATTkA bot gentoo-dev 2021-07-29 18:04:53 UTC Comment hidden (obsolete)
Comment 20 NATTkA bot gentoo-dev 2021-07-29 18:13:11 UTC
Package list is empty or all packages have requested keywords.
Comment 21 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:36:46 UTC
GLSA request filed
Comment 22 Larry the Git Cow gentoo-dev 2022-10-31 01:41:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e8a66a03a13ff76fb2733745a316822ef89c7e

commit 65e8a66a03a13ff76fb2733745a316822ef89c7e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:09:53 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-13 ] libgcrypt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/766213
    Bug: https://bugs.gentoo.org/795480
    Bug: https://bugs.gentoo.org/811900
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-13.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 23 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 01:51:33 UTC
GLSA released, all done!