https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html Quote: "A severe bug was reported yesterday evening against Libgcrypt 1.9.0 which we released last week. A new version to fix this as weel as a couple of build problems will be released today. In the meantime please stop using 1.9.0. It seems that Fedora 34 and Gentoo are already using 1.9.0 ." This sounds sever, given the warning (it may be some form of "if you get a signature you can break a key"-issue) I'd propose to mask 1.9.0 for the time being.
Masked.
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html v1.9.1
lol: Mid-air collision detected! Someone else has made changes to bug 767814 at the same time you were trying to. The changes made were: No changes have been made to this bug yet. Added the comment(s): Comment 2 Maxim Britov 2021-01-29 12:34:30 CET https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html v1.9.1 Your comment was: https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html Libgcrypt 1.9.1 relased
On it with 1.9.1 too now. Thanks hanno and zlogene for being quick here (and everyone else who pinged!)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d47115a0553a799acad66ce663b045487f1185a9 commit d47115a0553a799acad66ce663b045487f1185a9 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-29 13:10:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-29 13:10:18 +0000 profiles/package.mask: drop obsolete =dev-libs/libgcrypt-1.9.0 mask We now have a fixed 1.9.1 in tree and 1.9.0 is gone. Bug: https://bugs.gentoo.org/767814 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 6 ------ 1 file changed, 6 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d554d368f2cc68c944b92c2a64be391ca272eac1 commit d554d368f2cc68c944b92c2a64be391ca272eac1 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-29 13:10:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-29 13:10:07 +0000 dev-libs/libgcrypt: (security) bump to 1.9.1 This includes a critical security fix on 1.9.0 (currently masked). Note that the mask on 1.9.0 currently forces a downgrade to the safe 1.8.x series. Bug: https://bugs.gentoo.org/767814 Bug: https://bugs.gentoo.org/766213 Closes: https://bugs.gentoo.org/766423 Closes: https://bugs.gentoo.org/766429 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libgcrypt/Manifest | 2 +- .../libgcrypt/{libgcrypt-1.9.0.ebuild => libgcrypt-1.9.1.ebuild} | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-)
Note that libgcrypt 1.9.0 was already stabilized before being masked due to several (minor) security issues, see #766213. Shall we fast-stabilize 1.9.1?
(In reply to Hanno Böck from comment #6) > Note that libgcrypt 1.9.0 was already stabilized before being masked due to > several (minor) security issues, see #766213. > > Shall we fast-stabilize 1.9.1? Right, we’re back to square 1 wrt bug 766213. Let’s stabilise there after we give it a few hours for any bugs and I’ll check with zlogene.
1.9.1 fails with USE="-asm". This is the upstream report: https://dev.gnupg.org/T5277
(In reply to Hanno Böck from comment #8) > 1.9.1 fails with USE="-asm". > > This is the upstream report: https://dev.gnupg.org/T5277 thanks, I'll file a new bug to block the other one on
Unable to check for sanity: > no match for package: dev-libs/libgcrypt-1.9.1
For anyone looking at this bug: * The actual vulnerability in 1.9.0 is already fixed in stable because a downgrade was forced to 1.8.x which is safe. * We will stabilise 1.9.1 shortly with fixes for the timing attack problems mentioned in bug 766213. The title is slightly confusing but you are safe wrt this issue (the buffer overflow) if you are on 1.8.x or (as the title says) 1.9.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab0b005521081a650f8687a3ee28daa7b33b5f65 commit ab0b005521081a650f8687a3ee28daa7b33b5f65 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-02-17 20:02:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-02-17 20:02:25 +0000 dev-libs/libgcrypt: bump to 1.9.2 Bug: https://bugs.gentoo.org/767814 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libgcrypt/Manifest | 1 + dev-libs/libgcrypt/libgcrypt-1.9.2.ebuild | 87 +++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+)
Ping
1.9.x should never go stable (yet)
*** This bug has been marked as a duplicate of bug 795480 ***
(spam removed)