Bug 29162

Summary: libgcrypt new security issue CVE-2021-33560
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, geiger.david68210, herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: libgcrypt-1.8.7-1.mga8.src.rpm CVE: CVE-2021-33560
Status comment:

Description David Walser 2021-06-21 19:47:43 CEST 
SUSE has issued an advisory on June 18:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009053.html

The issue is supposedly fixed upstream in 1.8.8, but the RedHat bug for this issue has questioned that:
https://bugzilla.suse.com/show_bug.cgi?id=1187212
https://bugzilla.redhat.com/show_bug.cgi?id=1970096

Mageia 7 is also affected.
David Walser 2021-06-21 19:48:15 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2021-06-22 09:12:39 CEST 
This pkg has no registered maintainer, and is committed by various people; so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-06-22 14:56:49 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (CVE-2021-33560)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009053.html
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)gcrypt20-1.8.5-1.1.mga7
lib(64)gcrypt-devel-1.8.5-1.1.mga7

from SRPM:
libgcrypt-1.8.5-1.1.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)gcrypt20-1.8.7-1.1.mga8
lib(64)gcrypt-devel-1.8.7-1.1.mga8

from SRPM:
libgcrypt-1.8.7-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-33560
Status: NEW => ASSIGNED

Nicolas Salguero 2021-06-22 14:56:56 CEST

Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-06-22 16:02:25 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Created small plain text file.
Followed test as from bug 17742 Comment 4

$ gpg --gen-key   
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: hviaene
etc ......

$ gpg2 -e -r hviaene crypttest.txt 
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2023-06-22
created crypttest.txt.gpg file
renamed crypttest.txt to crypttest.orig.txt 

   
$ gpg2 crypttest.txt.gpg 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 2048-bit RSA key, ID 4BC90D7AD65CD629, created 2021-06-22
      "hviaene <herman.viaene@hotmail.be>"

recreates the crypttest.txt file with correct contents.

gpg2 --delete-secret-keys hviaene
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
etc ....
works OK

$ gpg2 --delete-key hviaene
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
etc .....
works OK
$ gpg2 --list-keys
gpg: checking the trustdb
gpg: no ultimately trusted keys found

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 4 David Walser 2021-06-25 23:44:17 CEST 
openSUSE has issued an advisory for this today (June 25):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PPALT4SBPXXPFJVTZN5FQCXMNVH4GXCU/
Comment 5 Brian Rockwell 2021-06-26 21:21:53 CEST 
MG8-64

$ uname -a
Linux localhost.localdomain 5.10.46-desktop-1.mga8 #1 SMP Thu Jun 24 14:33:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


The following 2 packages are going to be installed:

- lib64gcrypt-devel-1.8.7-1.1.mga8.x86_64
- lib64gcrypt20-1.8.7-1.1.mga8.x86_64

I performed the same tests Herman did using my info.

Worked fine.

$ gpg2 --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.7
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: xxxx
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

CC: (none) => brtians1
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 6 Thomas Andrews 2021-06-27 02:47:21 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-06-28 21:39:52 CEST

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-06-28 23:18:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0294.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED