Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 811915 (CVE-2021-40530) - <dev-libs/crypto++-8.6.0: ElGamal plaintext recovery (CVE-2021-40530)
Summary: <dev-libs/crypto++-8.6.0: ElGamal plaintext recovery (CVE-2021-40530)
Status: IN_PROGRESS
Alias: CVE-2021-40530
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/weidai11/cryptopp/...
Whiteboard: B4 [glsa? cleanup]
Keywords:
Depends on: 817932
Blocks:
  Show dependency tree
 
Reported: 2021-09-07 01:44 UTC by John Helmert III
Modified: 2021-10-16 23:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-09-07 01:44:37 UTC
CVE-2021-40530 (https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1, https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2):

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.


No references to upstream in CVE references so not sure what needs to be done.
Comment 1 John Helmert III gentoo-dev Security 2021-09-25 18:36:23 UTC
8.6.0 claims to finally fix this.