Bug 17742

Summary: libgcrypt new security issue CVE-2015-7511
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/675368/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: libgcrypt-1.5.4-5.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 16806    

Description David Walser 2016-02-12 19:43:30 CET 
Debian has issued an advisory today (February 12):
https://lists.debian.org/debian-security-announce/2016/msg00044.html

The DSA will be posted here:
https://www.debian.org/security/2016/dsa-3474

Cauldron updated to 1.6.5 which fixes the issue.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated libgcrypt packages fix security vulnerability:

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered that
the ECDH secret decryption keys in applications using the libgcrypt20 library
could be leaked via a side-channel attack (CVE-2015-7511).

The libgcrypt package was also updated to include countermeasures against
Lenstra's fault attack on RSA Chinese Remainder Theorem optimization in RSA.
A signature verification step was updated to protect against leaks of private
keys in case of hardware faults or implementation errors in numeric
libraries.  This issue is equivalent to the CVE-2015-5738 issue in gnupg.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7511
http://lists.opensuse.org/opensuse-updates/2015-09/msg00033.html
https://www.debian.org/security/2016/dsa-3474
https://bugs.mageia.org/show_bug.cgi?id=16806
https://bugs.mageia.org/show_bug.cgi?id=17742
========================

Updated packages in core/updates_testing:
========================
libgcrypt11-1.5.4-5.2.mga5
libgcrypt-devel-1.5.4-5.2.mga5

from libgcrypt-1.5.4-5.2.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-02-12 19:44:40 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=15441#c2

Use gpg2 (gnupg2) to test libgcrypt.

Blocks: (none) => 16806
Whiteboard: (none) => has_procedure

Comment 2 William Kenney 2016-02-13 20:09:00 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
libgcrypt11 kgpg

default install of libgcrypt11 & kgpg

[root@localhost wilcal]# urpmi libgcrypt11
Package libgcrypt11-1.5.3-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi kgpg
Package kgpg-4.10.5-1.1.mga3.i586 is already installed

gpg --gen-key ( works, wiggle the mouse, takes about a min )
Real name: wilcal
e-mail: somebody@gmail.com
Comment: testing
passphrase: testing
gpg2 --list-keys ( works )
gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg )
erase test.txt
gpg2 test.txt.gpg ( works, regenerates test.txt )
libreoffice --writer exports an encrypted pdf file
gpg2 --delete-secret-keys wilcal ( works )
gpg2 --delete-key wilcal ( works )
gpg2 --list-keys ( works, no keys listed )

install libgcrypt11 & kgpg from updates_testing

[root@localhost wilcal]# urpmi libgcrypt11
Package libgcrypt11-1.5.4-5.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi kgpg
Package kgpg-4.14.3-1.mga5.i586 is already installed

gpg --gen-key ( works, wiggle the mouse, takes about a min )
Real name: wilcal
e-mail: somebody@gmail.com
Comment: testing
passphrase: testing
gpg2 --list-keys ( works )
gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg )
erase test.txt
gpg2 test.txt.gpg ( works, regenerates test.txt )
libreoffice --writer exports an encrypted pdf file
gpg2 --delete-secret-keys wilcal ( works )
gpg2 --delete-key wilcal ( works )
gpg2 --list-keys ( works, no keys listed )

CC: (none) => wilcal.int

Comment 3 William Kenney 2016-02-13 20:44:57 CET 
Correction:

In VirtualBox, M5, KDE, 32-bit

default install of libgcrypt11 & kgpg

[root@localhost wilcal]# urpmi libgcrypt11
Package libgcrypt11-1.5.3-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi kgpg
Package kgpg-4.10.5-1.1.mga3.i586 is already installed

s/b

default install of libgcrypt11 & kgpg

[root@localhost wilcal]# urpmi libgcrypt11
Package libgcrypt11-1.5.4-5.mga5.i586 is already installed
[root@localhost wilcal]# urpmi kgpg
Package kgpg-4.14.3-1.mga5.i586 is already installed
Comment 4 William Kenney 2016-02-13 21:02:07 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
lib64gcrypt11 kgpg

default install of lib64gcrypt11 & kgpg

[root@localhost wilcal]# urpmi lib64gcrypt11
Package lib64gcrypt11-1.5.4-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kgpg
Package kgpg-4.14.3-1.mga5.x86_64 is already installed

gpg --gen-key ( works, wiggle the mouse, takes about a min )
Real name: wilcal
e-mail: somebody@gmail.com
Comment: testing
passphrase: testing
gpg2 --list-keys ( works )
gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg )
erase test.txt
gpg2 test.txt.gpg ( works, regenerates test.txt )
libreoffice --writer exports an encrypted pdf file
gpg2 --delete-secret-keys wilcal ( works )
gpg2 --delete-key wilcal ( works )
gpg2 --list-keys ( works, no keys listed )

install lib64gcrypt11 & kgpg from updates_testing

[root@localhost wilcal]# urpmi lib64gcrypt11
Package lib64gcrypt11-1.5.4-5.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kgpg
Package kgpg-4.14.3-1.mga5.x86_64 is already installed

gpg --gen-key ( works, wiggle the mouse, takes about a min )
Real name: wilcal
e-mail: somebody@gmail.com
Comment: testing
passphrase: testing
gpg2 --list-keys ( works )
gpg2 -e -r wilcal test.txt ( works, generates test.txt.gpg )
erase test.txt
gpg2 test.txt.gpg ( works, regenerates test.txt )
libreoffice --writer exports an encrypted pdf file
gpg2 --delete-secret-keys wilcal ( works )
gpg2 --delete-key wilcal ( works )
gpg2 --list-keys ( works, no keys listed )
Comment 5 William Kenney 2016-02-13 21:02:49 CET 
Look good enough David?
Comment 6 David Walser 2016-02-13 21:04:57 CET 
Yes
Comment 7 William Kenney 2016-02-13 21:54:49 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 claire robinson 2016-02-15 12:11:59 CET 
Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 9 Mageia Robot 2016-02-17 20:22:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0072.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED