Bug 29467

Summary: libgcrypt new security issue CVE-2021-40528
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libgcrypt-1.8.7-1.1.mga8.src.rpm CVE: CVE-2021-40528
Status comment:
Attachments: A basic c program calling the library

Description David Walser 2021-09-16 22:01:55 CEST 
Ubuntu has issued an advisory today (September 16):
https://ubuntu.com/security/notices/USN-5080-1

The issue is fixed upstream in 1.9.4.

Mageia 8 is also affected.

We fixed the other CVE in their advisory in Bug 29162, but given their notes on this new CVE, we should make sure that we got the right commits last time.
David Walser 2021-09-16 22:02:12 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 1.9.4
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2021-09-16 22:05:07 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-09-20 13:38:12 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. (CVE-2021-40528)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528
https://ubuntu.com/security/notices/USN-5080-1
========================

Updated packages in core/updates_testing:
========================
lib(64)gcrypt-devel-1.8.7-1.2.mga8
lib(64)gcrypt20-1.8.7-1.2.mga8

from SRPM:
libgcrypt-1.8.7-1.2.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: libgcrypt-1.9.3-1.mga9.src.rpm => libgcrypt-1.8.7-1.1.mga8.src.rpm
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-40528
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.9.4 => (none)

Comment 3 Brian Rockwell 2021-09-24 03:52:47 CEST 
Created attachment 12932 [details]
A basic c program calling the library

Basic C program:

to compile: gcc arcfour.c -o arcfour -lgcrypt -lgpg-error

to execute:  ./arcfour

Acquired the code from:  https://cboard.cprogramming.com/c-programming/105743-how-decrypt-encrypt-using-libgcrypt-arc4.html

CC: (none) => brtians1

Comment 4 Brian Rockwell 2021-09-24 03:56:01 CEST 
MGA8-64, Plasma

$ hmac256 "akeyblahblah" <afile>

it worked


$ dumpsexp < test.txt

it worked

Compiled and executed the program attached.

this library works as far as I can tell.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-09-27 14:09:32 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-09-29 17:53:36 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-09-29 19:24:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0446.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED