Bug 19206

Summary: gnupg, libgcrypt new security issue CVE-2016-6313
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/697568/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: libgcrypt, gnupg CVE:
Status comment:

Description David Walser 2016-08-17 19:56:38 CEST 
GnuPG has released new libgcrypt and gnupg versions today (August 17):
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

The CVE was incorrect in the announcement:
http://openwall.com/lists/oss-security/2016/08/17/8

For Mageia 5, we aren't using libgcrypt 1.7.x and we are still on gnupg 1.4.19, and I'm not sure we want all of the changes in 1.4.20:
https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html

So ideally we'd patch both of those.

Freeze push requested already for Cauldron (should be built soon).
Comment 1 David Walser 2016-08-18 19:00:22 CEST 
Debian has issued advisories for this on August 17:
https://www.debian.org/security/2016/dsa-3650
https://www.debian.org/security/2016/dsa-3649

Patched packages uploaded for Mageia 5.

Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=15441#c2

Advisory:
========================

Updated gnupg and libgcrypt packages fixes security vulnerability:

Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology
discovered a flaw in the mixing functions of GnuPG's random number generator.
An attacker who obtains 4640 bits from the RNG can trivially predict the next
160 bits of output (CVE-2016-6313).

The gnupg package has been patched to correct these issues.

GnuPG2 is vulnerable to these issues through the libgcrypt library.  The
libgcrypt package has also been patched to correct this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
https://www.debian.org/security/2016/dsa-3649
https://www.debian.org/security/2016/dsa-3650
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.19-1.2.mga5
libgcrypt11-1.5.4-5.3.mga5
libgcrypt-devel-1.5.4-5.3.mga5

from SRPMS:
gnupg-1.4.19-1.2.mga5.src.rpm
libgcrypt-1.5.4-5.3.mga5.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/697568/
Assignee: bugsquad => qa-bugs
Summary: libgcrypt, gnupg new security issue CVE-2016-6313 => gnupg, libgcrypt new security issue CVE-2016-6313

David Walser 2016-08-18 19:00:33 CEST

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-08-20 20:01:54 CEST 
Tested both gpg and gpg2 using the first half of Claire's procedure here:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3

Testing complete Mageia 5 i586 and x86_64.

Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-08-26 00:58:39 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-08-31 17:34:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0292.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED