Bug 29529

Summary: libcryptopp new security issue CVE-2021-40530
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libcryptopp-8.2.0-2.mga8.src.rpm CVE: CVE-2021-40530
Status comment:

Description David Walser 2021-10-04 22:12:44 CEST 
Fedora has issued an advisory on October 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HGVBZ2TTRKCTYAZTRHTF6OBD4W37F5MT/

The issue is fixed upstream in 8.6.0.

Mageia 8 is also affected.
David Walser 2021-10-04 22:13:02 CEST

Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 8.6.0

Comment 1 Nicolas Salguero 2021-10-05 09:59:54 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. (CVE-2021-40530)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40530
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HGVBZ2TTRKCTYAZTRHTF6OBD4W37F5MT/
========================

Updated packages in core/updates_testing:
========================
lib(64)cryptopp8-8.2.0-2.1.mga8
lib(64)cryptopp-devel-8.2.0-2.1.mga8
libcryptopp-progs-8.2.0-2.1.mga8

from SRPM:
libcryptopp-8.2.0-2.1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2021-40530
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 8.6.0 => (none)
Version: Cauldron => 8
Status: NEW => ASSIGNED

Nicolas Salguero 2021-10-05 10:00:09 CEST

Source RPM: libcryptopp-8.5.0-1.mga9.src.rpm => libcryptopp-8.2.0-2.mga8.src.rpm

Comment 2 Herman Viaene 2021-10-05 14:11:04 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 25759 Comment 6 for testing
at CLI:
$ cd /usr/share/cryptopp/
$ cryptest v > ~/Documenten/cryptest_v

Checked the output file and all tests returned "passed" or "Failed tests = 0"
Good enough for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2021-10-05 16:54:07 CEST 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-10-06 19:52:39 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2021-10-06 21:43:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0468.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED