Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 811900 (CVE-2021-40528) - <dev-libs/libgcrypt-1.9.4: ElGamal plaintext recovery (CVE-2021-40528)
Summary: <dev-libs/libgcrypt-1.9.4: ElGamal plaintext recovery (CVE-2021-40528)
Status: RESOLVED FIXED
Alias: CVE-2021-40528
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+]
Keywords:
Depends on: 817935
Blocks:
  Show dependency tree
 
Reported: 2021-09-07 01:18 UTC by John Helmert III
Modified: 2022-10-31 02:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:18:42 UTC
CVE-2021-40528 (https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1, https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2)

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.


Please stabilize 1.9.4.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-28 15:59:26 UTC
Please cleanup
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:36:57 UTC
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-10-31 01:42:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e8a66a03a13ff76fb2733745a316822ef89c7e

commit 65e8a66a03a13ff76fb2733745a316822ef89c7e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:09:53 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-13 ] libgcrypt: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/766213
    Bug: https://bugs.gentoo.org/795480
    Bug: https://bugs.gentoo.org/811900
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-13.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 01:51:22 UTC
GLSA released, all done!