Bug 12039

Summary: gnupg new security issue CVE-2013-4576
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: oe, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/577552/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Source RPM: gnupg-1.4.15-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2013-12-18 17:51:49 CET 
Upstream has released version 1.4.16 today (December 18), fixing a security issue:
http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html

Oden has committed it to SVN and requested a freeze push for Cauldron.

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-18 17:52:09 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-12-18 18:56:43 CET 
Debian has issued an advisory for this today (December 18):
http://lists.debian.org/debian-security-announce/2013/msg00235.html
David Walser 2013-12-18 20:12:28 CET

URL: (none) => http://lwn.net/Vulnerabilities/577552/

Comment 2 David Walser 2013-12-19 03:42:55 CET 
gnupg-1.4.16-1.mga4 uploaded for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 3 Oden Eriksson 2013-12-19 08:10:26 CET 
fixed with gnupg-1.4.14-1.2.mga3

CC: (none) => oe

Comment 4 David Walser 2013-12-19 12:14:29 CET 
Thanks Oden!

Advisory:
========================

Updated gnupg package fixes security vulnerability:

Genkin, Shamir and Tromer discovered that RSA key material could be extracted
by using the sound generated by the computer during the decryption of some
chosen ciphertexts (CVE-2013-4576).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576
http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html
http://www.debian.org/security/2013/dsa-2821
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.14-1.2.mga3

from gnupg-1.4.14-1.2.mga3.src.rpm

CC: (none) => boklm
Assignee: boklm => qa-bugs

Comment 5 claire robinson 2013-12-20 12:36:55 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11306#c3

No PoC, it involves sending thousands of encrypted messages which need to be auto decrypted and recording audio to process.
Comment 6 claire robinson 2013-12-20 13:03:13 CET 
Testing complete mga3 64

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 7 claire robinson 2013-12-20 13:16:23 CET 
Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 8 claire robinson 2013-12-20 13:19:38 CET 
Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2013-12-20 18:32:34 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0382.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:57 CEST

CC: boklm => (none)