| Summary: | libgcrypt new security issue CVE-2017-7526 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, marja11, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | libgcrypt-1.7.7-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-07-03 12:06:18 CEST
Fixed in libgcrypt-1.7.8-1.mga6. Resolution:
(none) =>
FIXED gnupg may be vulnerable to this (there's a proposed fix) and libgcrypt in Mageia 5 may be affected (we'll have to see if the commit to fix it can be applied): http://openwall.com/lists/oss-security/2017/07/06/8 Debian's patches jessie apply to our Mageia 5 package. One of their two patches for CVE-2017-9526 (Bug 21092) does as well (and the other may if the correct source file to apply it to is found), so this needs to be re-opened. Blocks:
(none) =>
21092 Indeed, Ubuntu has issued an advisory for both CVEs on July 3: https://www.ubuntu.com/usn/usn-3347-1/ They have patches for 1.5.3 for Ubuntu 14.04. Resolution:
FIXED =>
(none)
David Walser
2017-07-07 12:04:42 CEST
Version:
Cauldron =>
5 Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs
David Walser
2017-07-08 20:09:28 CEST
Blocks:
21092 =>
(none) Patched package uploaded for Mageia 5. Advisory: ======================== Updated libgcrypt packages fix security vulnerability: Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover RSA private keys (CVE-2017-7526). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526 https://www.ubuntu.com/usn/usn-3347-1/ ======================== Updated packages in core/updates_testing: ======================== libgcrypt11-1.5.4-5.4.mga5 libgcrypt-devel-1.5.4-5.4.mga5 from libgcrypt-1.5.4-5.4.mga5.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA5-32 on Asus A6000VM Xfce No installation issues. Found fsarchiver to be dependent on it. Used fsarchiver to backup a partition with encryption and checked with strace: libgcrypt called a lot. Whiteboard:
(none) =>
MGA5-32-OK
Lewis Smith
2017-07-21 12:48:43 CEST
CC:
(none) =>
lewyssmith Testing M5 x64 real hardware After update to: lib64gcrypt11-1.5.4-5.4.mga5 The library is used by a lot of applications, shown by: $ urpmq --whatrequires lib64gcrypt11 | sort | uniq | grep -v lib I chose gnupg2 and used (thanks yet again Claire) the 1st part of the procedure given in: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 which I repeat below using gpg2 (pkg gnupg2), and with some extra comments. (Confusion: I accidentally had 2 keys with essentially identical paramaters, the first done with gpg; hence >1 date. I restricted the -list-keys output shown to just 1 key) Every command via 'strace' showed that the library was opened: open("/lib64/libgcrypt.so.11", O_RDONLY|O_CLOEXEC) = 3 $ gpg2 --gen-key takes a *long time* and asks a lot of questions. ... You selected this USER-ID: "lewis (<comment>) <e-mail>" Ambiguity over userID: required in later commands, just the 'real name' seems to suffice. (I used lewis). [I got, with the pop-up box to input a passphrase: gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!] NOTE the USER-ID and PASSPHRASE for later use! $ gpg2 --list-keys /home/lewis/.gnupg/pubring.gpg ------------------------------ pub 1024R/34BBE7CB 2017-07-22 uid [ultimate] lewis (<comment>) <e-mail> sub 1024R/1FB24A0E 2017-07-22 $ echo "test test test" > test.txt $ cat test.txt test test test $ gpg2 -e -r lewis test.txt [encrypt the file] -e = encrypt; -r = user name. $ ls test.txt test.txt.gpg $ rm test.txt [so no ambiguity later] $ gpg2 test.txt.gpg [decrypt the file] You need a passphrase to unlock the secret key for user: "lewis (<comment>) <e-mail>" 1024-bit RSA key, ID 180D7E31, created 2017-07-21 (main key ID D2D8E0DD) [I again got: gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!] gpg: encrypted with 1024-bit RSA key, ID 180D7E31, created 2017-07-21 "lewis (<comment>) <e-mail>" $ ls test.txt test.txt.gpg $ cat test.txt test test test $ rm test* [tidy up] $ gpg2 --delete-secret-keys lewis ... Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y $ gpg2 --delete-key lewis ... Delete this key from the keyring? (y/N) y $ gpg2 --list-keys | grep lewis [check it has gone] $ All this works as described, so OKing the update. Also validating it. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0213.html Status:
REOPENED =>
RESOLVED |