Bug 23210

Summary: libgcrypt new security issue CVE-2018-0495
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, jani.valimaa, marja11, mhrambo3501, sysadmin-bugs
Version: 5Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK
Source RPM: libgcrypt-1.5.4-5.4.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 23185    
Bug Blocks:    

Description David Walser 2018-06-20 23:40:51 CEST 
+++ This bug was initially created as a clone of Bug #23185 +++

GnuPG has announced a new security issue in libgcrypt on June 13:
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html

It is fixed upstream in 1.7.10 and 1.8.3.

Jani already updated Cauldron to 1.8.3.

Ubuntu has issued an advisory for this on June 19:
https://usn.ubuntu.com/3689-1/

They have a fix for the 1.5.x branch in Ubuntu 14.04.
Comment 1 Marja Van Waes 2018-06-21 07:55:43 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-06-21 13:42:09 CEST 
Thanks Jani!

Advisory:
========================

Updated libgcrypt packages fix security vulnerability:

When libgcrypt uses the private key to create a signature, such as for a TLS or
SSH connection, it inadvertently leaks information through memory caches. An
unprivileged attacker running on the same machine can collect the information
from a few thousand signatures and recover the value of the private ECDSA or
DSA key (CVE-2018-0495).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
========================

Updated packages in core/updates_testing:
========================
libgcrypt11-1.5.4-5.5.mga5
libgcrypt-devel-1.5.4-5.5.mga5

from libgcrypt-1.5.4-5.5.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2018-06-22 15:47:57 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Followed testing as bug 17742 Comment 4
$ gpg2 --list-keys
nothing found
$ gpg --gen-key 
Real name hviaene , etc.....
$ gpg2 --list-keys ( works )
$ gpg2 -e -r hviaene foo.diff
generates file foo.diff.gpg
rename foo.diff to foo.diff.orig
$ gpg2 foo.diff.gpg
generates file foo.diff, contents OK
$ gpg2 --delete-secret-keys hviaene
answering y on questions works OK
$ gpg2 --delete-key hviaene
idem
$ gpg2 --list-keys
nothing found
Seems good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 4 claire robinson 2018-06-24 21:47:45 CEST 
Validating. Advisoried.

Keywords: (none) => advisory, has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-07-02 00:18:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0306.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED