The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain text from cipher text. The timing difference appears as a side effect of the so-called "quick scan" and is only exploitable on systems that accept an arbitrary amount of cipher text for automatic decryption.
CAN-2005-0366 Fixed in 1.2.8 and 1.4.1, patches @ http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html Tavis / crypto herd: please bump ?
I'm working on a 1.4.1 ebuild already, should be available shortly.
1.4.1 is in the tree now.
Arches, please test and (if possible) mark gnupg-1.4.1 stable. If you think we rather need to include 1.2.8 (also fixed), please tell us too :)
FYI: Upstream has declared 1.4 as the stable line. Although Koon noted 1.2.8 as released, it's not available on the upstream FTP presently.
Stable on ppc.
sparc stable.
compiles and works.
compiles and works for me on hppa I meant
Stable on hppa.
Stable on amd64.
x86 done.
ppc-macos done. Also put in a fix for collission-protect systems - currently only applied if USE contains ppc-macos - that might better be done regardless of keyword.
Created attachment 53934 [details] compile error on ppc64 this won't compile on ppc64. Output is attached. I think we that 1.2.8 version koon mentioned before for ppc64.
Robin: would it be possible to patch the current 1.2.6 with the patches @ http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html to unblock ppc64 ? alpha: please test and mark stable
ppc64: could you please post your 'emerge info' and attach the config.log? I saw this once while building the src_test stuff for gnupg, but it was just a bad build (I didn't clean the dir properly).
Stable on alpha.
I vote for a GLSA on this one.
Created attachment 54216 [details] config.log on ppc64 # emerge --info Portage 2.0.51.19 (default-linux/ppc64/2005.0, gcc-3.4.3, glibc-2.3.4.20041102-r1, 2.6.9-gentoo-r9 ppc64) ================================================================= System uname: 2.6.9-gentoo-r9 ppc64 PPC970, altivec supported Gentoo Base System version 1.6.10 Python: dev-lang/python-2.3.3-r2 [2.3.3 (#1, Mar 19 2005, 14:18:56)] dev-lang/python: 2.3.3-r2 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.5, 1.6.3, 1.8.5-r3, 1.7.9-r1, 1.4_p6, 1.9.4 sys-devel/binutils: 2.15.90.0.3-r3 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="ppc64" AUTOCLEAN="yes" CFLAGS="-mcpu=G5 -O3 -pipe -fsigned-char -mabi=altivec" CHOST="powerpc64-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mcpu=G5 -O3 -pipe -fsigned-char -mabi=altivec" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache cvs distlocks sandbox sfperms" GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X altivec apache2 audiofile bash-completion bcmath berkdb bitmap-fonts bzip2 bzlib calendar cdb cdparanoia cdr cdrom chroot client crypt cups curl dba dedicated dga dict dio divx4linux dv dvd dvdr dvdread encode exif fam fame fbcon ffmpeg flac flatfile foomaticdb fortran fpx freetype ftp gcc-libffi gcj gd gdbm gif gimp gimpprint glade gnokii gnuplot gnustep gphoto2 gpm graphviz gs gstreamer gtk gtk2 iconv icq ieee1394 image imagemagick imap imlib2 ipv6 ipv6arpa jabber java javacomm javamail javascript jbig jpeg jpeg2k kde kdeenablefinal kerberos latex libwww live maildir md5sum mhash mime mimencode mixer mjpeg mng motif mozsvg mp3 mpeg mpeg4 mpi music native ncurses neXt nls nocardbus nowin nptl nptlonly objc oggvorbis openal opengl openssh pam pdf pdflib perl php physfs plotutils png pnp portaudio posix povray ppc64 ppds procmail python qt quicktime quotas quotes radius readline rtc sasl sdk serial server session silc slang smime sms sndfile sockets sounds spell ssl svg tcpd tetex tga theora tidy tiff tools transcode truetype truetype-fonts type1-fonts uml unicode uptimed usb v4l v4l2 vcd vhosts videos vidix vim wmf wxwindows xanim xchatdccserver xchattext xine xml2 xmms xosd xpm xprint xscreensaver xsl xv xvid xvmc zlib" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY #
I forgot to say, that I already tried C(XX)FLAGS="-O2"...
I vote YES for a GLSA on this one.
ppc64: could you please add --disable-asm to the configure options, and see if gnupg builds and passes the src_test? I think it should fix it for you.
robin: thx! that did the trick! Stable on ppc64.
GLSA 200503-29 arm,ia64,s390 should mark stable to benefit from GLSA