Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 795480 (CVE-2021-33560) - <dev-libs/libgcrypt-{1.8.8,1.9.1}: ElGamal sidechannel leak (CVE-2021-33560)
Summary: <dev-libs/libgcrypt-{1.8.8,1.9.1}: ElGamal sidechannel leak (CVE-2021-33560)
Status: RESOLVED FIXED
Alias: CVE-2021-33560
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+]
Keywords:
: CVE-2021-3345 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-06-12 03:39 UTC by Sam James
Modified: 2022-10-31 02:25 UTC (History)
3 users (show)

See Also:
Package list:
dev-libs/libgcrypt-1.8.8
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 03:39:47 UTC
Description:
"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP."
Comment 1 Larry the Git Cow gentoo-dev 2021-06-16 16:46:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ebb8899e39bc7a7773fe930e68697cc48aab8d3

commit 5ebb8899e39bc7a7773fe930e68697cc48aab8d3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-16 16:38:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-16 16:42:04 +0000

    dev-libs/libgcrypt: add 1.8.8
    
    Bug: https://bugs.gentoo.org/795480
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libgcrypt/Manifest               |  1 +
 dev-libs/libgcrypt/libgcrypt-1.8.8.ebuild | 84 +++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-06-27 10:13:26 UTC
*** Bug 767814 has been marked as a duplicate of this bug. ***
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 19:45:30 UTC
arm done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 19:45:51 UTC
arm64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 19:51:14 UTC
sparc done
Comment 6 Agostino Sarubbo gentoo-dev 2021-09-19 06:37:33 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2021-09-19 21:36:11 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-09-20 06:25:56 UTC
x86 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-24 15:37:26 UTC
ppc done
Comment 10 Rolf Eike Beer archtester 2021-10-20 05:11:38 UTC
hppa done
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-20 13:01:36 UTC
Please cleanup.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:36:51 UTC
GLSA request filed
Comment 13 Larry the Git Cow gentoo-dev 2022-10-31 01:42:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e8a66a03a13ff76fb2733745a316822ef89c7e

commit 65e8a66a03a13ff76fb2733745a316822ef89c7e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:09:53 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-13 ] libgcrypt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/766213
    Bug: https://bugs.gentoo.org/795480
    Bug: https://bugs.gentoo.org/811900
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-13.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 01:51:28 UTC
GLSA released, all done!