Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767814 (CVE-2021-3345) - <dev-libs/libgcrypt-1.9.1: Exploitable buffer overflow (CVE-2021-3345)
Summary: <dev-libs/libgcrypt-1.9.1: Exploitable buffer overflow (CVE-2021-3345)
Status: RESOLVED DUPLICATE of bug 795480
Alias: CVE-2021-3345
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL: https://lists.gnupg.org/pipermail/gnu...
Whiteboard: A2 [stable? glsa cve]
Keywords:
Depends on: 767859
Blocks: 766213
  Show dependency tree
 
Reported: 2021-01-29 08:15 UTC by Hanno Böck
Modified: 2023-03-24 14:03 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/libgcrypt-1.9.2 *
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2021-01-29 08:15:17 UTC
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html

Quote:
"A severe bug was reported yesterday evening against Libgcrypt 1.9.0
which we released last week.  A new version to fix this as weel as a
couple of build problems will be released today.

In the meantime please stop using 1.9.0.

It seems that Fedora 34 and Gentoo are already using 1.9.0 ."


This sounds sever, given the warning (it may be some form of "if you get a signature you can break a key"-issue) I'd propose to mask 1.9.0 for the time being.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 09:01:11 UTC
Masked.
Comment 3 jospezial 2021-01-29 11:38:00 UTC
lol:

Mid-air collision detected!

Someone else has made changes to bug 767814 at the same time you were trying to. The changes made were:

No changes have been made to this bug yet.

Added the comment(s):

    Comment 2 Maxim Britov 2021-01-29 12:34:30 CET

    https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html

    v1.9.1

    	

Your comment was:

    https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html

    Libgcrypt 1.9.1 relased
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 13:04:32 UTC
On it with 1.9.1 too now. Thanks hanno and zlogene for being quick here (and everyone else who pinged!)
Comment 5 Larry the Git Cow gentoo-dev 2021-01-29 13:19:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d47115a0553a799acad66ce663b045487f1185a9

commit d47115a0553a799acad66ce663b045487f1185a9
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-29 13:10:18 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-29 13:10:18 +0000

    profiles/package.mask: drop obsolete =dev-libs/libgcrypt-1.9.0 mask
    
    We now have a fixed 1.9.1 in tree and 1.9.0 is gone.
    
    Bug: https://bugs.gentoo.org/767814
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ------
 1 file changed, 6 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d554d368f2cc68c944b92c2a64be391ca272eac1

commit d554d368f2cc68c944b92c2a64be391ca272eac1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-29 13:10:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-29 13:10:07 +0000

    dev-libs/libgcrypt: (security) bump to 1.9.1
    
    This includes a critical security fix on 1.9.0 (currently masked).
    
    Note that the mask on 1.9.0 currently forces a downgrade
    to the safe 1.8.x series.
    
    Bug: https://bugs.gentoo.org/767814
    Bug: https://bugs.gentoo.org/766213
    Closes: https://bugs.gentoo.org/766423
    Closes: https://bugs.gentoo.org/766429
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libgcrypt/Manifest                                          | 2 +-
 .../libgcrypt/{libgcrypt-1.9.0.ebuild => libgcrypt-1.9.1.ebuild}     | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)
Comment 6 Hanno Böck gentoo-dev 2021-01-29 13:21:39 UTC
Note that libgcrypt 1.9.0 was already stabilized before being masked due to several (minor) security issues, see #766213.

Shall we fast-stabilize 1.9.1?
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 13:35:56 UTC
(In reply to Hanno Böck from comment #6)
> Note that libgcrypt 1.9.0 was already stabilized before being masked due to
> several (minor) security issues, see #766213.
> 
> Shall we fast-stabilize 1.9.1?

Right, we’re back to square 1 wrt bug 766213. Let’s stabilise there after we give it a few hours for any bugs and I’ll check with zlogene.
Comment 8 Hanno Böck gentoo-dev 2021-01-29 14:28:01 UTC
1.9.1 fails with USE="-asm".

This is the upstream report: https://dev.gnupg.org/T5277
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-29 14:37:55 UTC
(In reply to Hanno Böck from comment #8)
> 1.9.1 fails with USE="-asm".
> 
> This is the upstream report: https://dev.gnupg.org/T5277

thanks, I'll file a new bug to block the other one on
Comment 10 NATTkA bot gentoo-dev 2021-01-29 20:48:50 UTC Comment hidden (obsolete)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-30 21:30:57 UTC
For anyone looking at this bug:

* The actual vulnerability in 1.9.0 is already fixed in stable because a downgrade was forced to 1.8.x which is safe.

* We will stabilise 1.9.1 shortly with fixes for the timing attack problems mentioned in bug 766213.

The title is slightly confusing but you are safe wrt this issue (the buffer overflow) if you are on 1.8.x or (as the title says) 1.9.1.
Comment 12 Larry the Git Cow gentoo-dev 2021-02-17 20:02:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab0b005521081a650f8687a3ee28daa7b33b5f65

commit ab0b005521081a650f8687a3ee28daa7b33b5f65
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-02-17 20:02:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-17 20:02:25 +0000

    dev-libs/libgcrypt: bump to 1.9.2
    
    Bug: https://bugs.gentoo.org/767814
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libgcrypt/Manifest               |  1 +
 dev-libs/libgcrypt/libgcrypt-1.9.2.ebuild | 87 +++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)
Comment 13 Volkmar W. Pogatzki 2021-06-26 07:13:46 UTC
Ping
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-06-27 10:12:56 UTC
1.9.x should never go stable (yet)
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-06-27 10:13:26 UTC

*** This bug has been marked as a duplicate of bug 795480 ***
Comment 18 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2023-03-24 14:03:45 UTC
(spam removed)