621218 – (CVE-2017-9526) <dev-libs/libgcrypt-1.7.7: Possible timing attack on EdDSA session key

Bug 621218 (CVE-2017-9526) - <dev-libs/libgcrypt-1.7.7: Possible timing attack on EdDSA session key

Summary: <dev-libs/libgcrypt-1.7.7: Possible timing attack on EdDSA session key

Status:	RESOLVED FIXED

Alias:	CVE-2017-9526

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	CVE-2017-7526
Blocks:
	Show dependency tree

Reported:	2017-06-08 15:59 UTC by Agostino Sarubbo
Modified:	2017-09-10 22:59 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	dev-libs/libgcrypt-1.7.7 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-06-08 15:59:26 UTC

From ${URL} :

An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long-term secret key. Storing the session key in secure memory ensures that 
constant time point operations are used in the MPI library.

Upstream fixes:

master: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b

1.7.x: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Agostino Sarubbo gentoo-dev

2017-06-09 09:45:25 UTC

amd64 stable

Comment 2 Agostino Sarubbo gentoo-dev

2017-06-09 10:23:39 UTC

x86 stable

Comment 3 Agostino Sarubbo gentoo-dev

2017-06-10 13:49:29 UTC

sparc stable

Comment 4 Agostino Sarubbo gentoo-dev

2017-06-10 15:21:47 UTC

ia64 stable

Comment 5 Markus Meier gentoo-dev

2017-06-12 18:53:54 UTC

arm stable

Comment 6 Agostino Sarubbo gentoo-dev

2017-06-13 12:35:36 UTC

ppc64 stable

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2017-06-20 15:00:52 UTC

Stable on alpha.

Comment 8 Agostino Sarubbo gentoo-dev

2017-06-21 12:03:53 UTC

ppc stable

Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-06-24 11:33:38 UTC

GLSA Vote: No

Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-06-29 07:59:57 UTC

We got bug 623006 now, so adding this to same glsa as that one

Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-07-08 20:18:33 UTC

EdDSA is only used by gnupg in --expert mode and is not defined in official OpenPGP standard yet, so impact is particular in nature. Originally noglsa but changed pending bug 623006, which is now also designated noglsa.

Waiting for hppa in bug 623006 and cleanup