Bug 25399

Summary: libgcrypt new security issue CVE-2019-13627
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, geiger.david68210, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libgcrypt-1.8.4-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-09-03 12:28:24 CEST 
libgcrypt has been released on August 29, fixing a security issue:
https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000440.html

Mageia 6 may also be affected.
David Walser 2019-09-03 12:28:39 CEST

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2019-09-03 13:16:39 CEST 
Done for mga7!

As upstream do not fixed this CVE in 1.7 branch, probably it is not affected??
Comment 2 David Walser 2019-09-03 14:43:17 CEST 
Advisory:
========================

Updated libgcrypt packages fix security vulnerability:

ECDSA timing side-channel attack vulnerability (CVE-2019-13627).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2019-13627
https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000440.html
========================

Updated packages in core/updates_testing:
========================
libgcrypt20-1.8.5-1.mga7
libgcrypt-devel-1.8.5-1.mga7

from libgcrypt-1.8.5-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Brian Rockwell 2019-09-06 17:09:36 CEST 
$ uname -a
Linux localhost 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

The following 3 packages are going to be installed:

- lib64gcrypt-devel-1.8.5-1.mga7.x86_64
- lib64gcrypt20-1.8.5-1.mga7.x86_64
- lib64gpg-error-devel-1.36-1.mga7.x86_64

1.1MB of additional disk space will be used.

779KB of packages will be retrieved.


------------------

I used the following source code to compile

https://gitlab.tnichols.org/tyler/gcrypt/tree/master



./encrypt_decrypt encrypt ./sometext.txt ./sometext.pgp brianwashere

$ cat sometext.pgp
n�O
   #�{�;X���x(�_��-���-�Y�����#�pT;��oR0�`�����Z
                                                 �)�M,�▒�e������At�TGKπ{;�x��T▒�AOQ~I�.?��PR��y
                                                                                               E&m3'�)���
                                                                                                          ��0���d~/��=K�j_4�"�Į���M�:8+�<��య�"�j�
                                                                                                          
                                                                                                                                                                                          $ ./encrypt_decrypt decrypt ./sometext.pgp ./sometext2.txt brianwashere     
Valid HMAC found

$ cat sometext2.txt
This is some text to be encrypted.


Note this application is not safe for production, but is a good simple test.  The decrypted output file is larger due to block sizes.

The library is working from my perspective.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-09-06 20:11:45 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 4 Mageia Robot 2019-09-06 23:11:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0256.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2019-11-26 17:10:06 CET 
I believe this also fixed CVE-2019-12904:
https://lists.opensuse.org/opensuse-updates/2019-07/msg00121.html