Bug 21204

Summary: gnupg new security issue CVE-2017-7526
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, nathan95, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32-OK
Source RPM: gnupg-1.4.21-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-07-08 20:19:41 CEST 
Ubuntu has issued an advisory for libgcrypt on July 3:
https://www.ubuntu.com/usn/usn-3347-1/

gnupg is also affected and a fix is being worked on upstream:
http://openwall.com/lists/oss-security/2017/07/06/8
David Walser 2017-07-08 20:19:53 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-07-27 02:53:23 CEST 
Upstream has released version 1.4.22 on July 19 to fix this:
https://www.gnupg.org/

"Although GnuPG 1.4 is of limited use today we did a maintenance release to address the recently published local side channel attack CVE-2017-7526."
Comment 2 David Walser 2017-07-30 01:46:07 CEST 
Patched package uploaded for Mageia 5.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated gnupg package fixes security vulnerability:

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and
Yuval Yarom discovered that GnuPG was susceptible to an attack via
side channels. A local attacker could use this attack to recover RSA
private keys (CVE-2017-7526).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
http://openwall.com/lists/oss-security/2017/07/06/8
https://www.gnupg.org/
https://www.ubuntu.com/usn/usn-3347-1/
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.19-1.3.mga5
gnupg-1.4.22-1.mga6

from SRPMS:
gnupg-1.4.19-1.3.mga5.src.rpm
gnupg-1.4.22-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs

Comment 3 PC LX 2017-07-30 16:16:10 CEST 
Installed and tested without issues.

System: x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver.

$ rpm -q gnupg
gnupg-1.4.19-1.3.mga5
$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

nathan giovannini 2017-07-31 19:57:12 CEST

CC: (none) => nathan95
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

RĂ©mi Verschelde 2017-07-31 20:03:09 CEST

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => advisory MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 4 nathan giovannini 2017-08-01 13:22:16 CEST 
Tested on Virtual box on MGA 6 32 bit and MGA 5 32 bit and I did not notice regressions.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5TOO MGA5-64-OK MGA6-64-OK => advisory MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32OK
CC: (none) => sysadmin-bugs

nathan giovannini 2017-08-01 13:24:27 CEST

Whiteboard: advisory MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32OK => advisory MGA5TOO MGA5-64-OK MGA6-64-OK MGA6-32-OK MGA5-32-OK

Comment 5 Mageia Robot 2017-08-03 01:22:22 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0235.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED