Bug 21640

Summary: libgcrypt new security issue CVE-2017-0379
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, lewyssmith, marja11, mhrambo3501, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: has_procedure mga6-64-ok
Source RPM: libgcrypt-1.7.8-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-08-30 19:01:42 CEST 
Debian has issued an advisory on August 29:
https://www.debian.org/security/2017/dsa-3959

Mageia 6 is also affected.  I don't believe Mageia 5 is affected.
David Walser 2017-08-30 19:01:54 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2017-08-30 21:26:12 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2017-09-08 17:18:49 CEST 
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Patched libgcrypt package fixes security vulnerability:

It was discovered that libgcrypt is prone to a local side-channel attack against the
ECDH encryption with Curve25519, allowing recovery of the private key.


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379
https://security-tracker.debian.org/tracker/CVE-2017-0379
========================

Updated packages in core/updates_testing:
========================
lib[64]gcrypt20-1.7.8-1.1.mga6
lib[64]gcrypt-devel-1.7.8-1.1.mga6

from libgcrypt-1.7.8-1.1.mga6.src.rpm


Testing information found in https://bugs.mageia.org/show_bug.cgi?id=21178

Assignee: pkg-bugs => qa-bugs
CC: (none) => mrambo
Whiteboard: MGA6TOO => has_procedure
Version: Cauldron => 6

Comment 3 Brian Rockwell 2017-09-09 21:14:51 CEST 
$ uname -a
Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following 14 packages are going to be installed:

- fsarchiver-0.8.1-1.mga6.x86_64
- lib64aio1-0.3.110-4.mga6.x86_64
- lib64gcrypt-devel-1.7.8-1.1.mga6.x86_64
- lib64gcrypt20-1.7.8-1.1.mga6.x86_64
- lib64gpg-error-devel-1.24-1.mga6.x86_64
- lib64rpm7-4.13.0.1-3.1.mga6.x86_64
- lib64rpmsign7-4.13.0.1-3.1.mga6.x86_64
- python2-rpm-4.13.0.1-3.1.mga6.x86_64
- python3-rpm-4.13.0.1-3.1.mga6.x86_64
- qt5-fsarchiver-0.8.1.1-1.mga6.x86_64
- rpm-4.13.0.1-3.1.mga6.x86_64
- samba-4.6.7-1.mga6.x86_64
- sshfs-fuse-2.5-4.mga6.x86_64
- sshpass-1.05-4.mga6.x86_64

6.1MB of additional disk space will be used.

2.8MB of packages will be retrieved.

Is it ok to continue?

----

using Qt5-Fsarchiver I was able to archive a directory using encryption and restore it to another folder.

Without specifying decryption, the volume was protected and not able to be restored.

CC: (none) => brtians1

Brian Rockwell 2017-09-09 21:15:03 CEST

Whiteboard: has_procedure => has_procedure mga6-64-ok

Comment 4 Lewis Smith 2017-09-10 14:04:06 CEST 
Thanks Brian. Validating as it is a 64-bit OK. Advisory ex comment 2.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-09-10 14:37:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0334.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED