libgcrypt 1.5.4 was announced on August 7: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html The upstream security advisory came on August 8: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html CVE request on August 11: http://openwall.com/lists/oss-security/2014/08/11/1 No response yet. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Waiting on the CVE assignment for the advisory. Please refer to the upstream advisory for now. Updated packages in core/updates_testing: ======================== libgcrypt11-1.5.4-1.mga3 libgcrypt-devel-1.5.4-1.mga3 libgcrypt11-1.5.4-1.mga4 libgcrypt-devel-1.5.4-1.mga4 from SRPMS: libgcrypt-1.5.4-1.mga3.src.rpm libgcrypt-1.5.4-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
CVE-2014-5270 assigned: http://openwall.com/lists/oss-security/2014/08/16/2 Advisory: ======================== Updated libgcrypt packages fix security vulnerability: The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL side-channel attack (CVE-2014-5270). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270 http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html http://openwall.com/lists/oss-security/2014/08/16/2
Summary: libgcrypt new elgamal side-channel attack security issue fixed in 1.5.4 => libgcrypt new elgamal side-channel attack security issue fixed in 1.5.4 (CVE-2014-5270)
Maybe https://bugs.mageia.org/show_bug.cgi?id=10850#c11 can be used as a testing procedure
CC: (none) => stormi
OpenSuSE has issued an advisory for this on August 23: http://lists.opensuse.org/opensuse-updates/2014-08/msg00037.html
URL: (none) => http://lwn.net/Vulnerabilities/609509/
(In reply to Samuel VERSCHELDE from comment #2) > Maybe https://bugs.mageia.org/show_bug.cgi?id=10850#c11 can be used as a > testing procedure It kinda looks like KGpg uses it so being able to set a keyword and password would tell you if it's installed correctly. Also it looks like LibreOffice-Writer uses it to encrypt exported PDF files. libgcrypt11 is already installed so I suspect that LibreOffice put it in there.
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 32-bit Package(s) under test: libgcrypt11 KGpg Libreoffice-Writer-PDF export default install of libgcrypt11 & KGpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.3-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.i586 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. install libgcrypt11 from updates_testing [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.4-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.i586 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M3, KDE, 64-bit Package(s) under test: libgcrypt11 KGpg Libreoffice-Writer-PDF export default install of libgcrypt11 & KGpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.3-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. install libgcrypt11 from updates_testing [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.4-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 32-bit Package(s) under test: libgcrypt11 KGpg Libreoffice-Writer-PDF export default install of libgcrypt11 & KGpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.3-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.11.4-1.mga4.i586 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. install libgcrypt11 from updates_testing [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.4-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.12.5-1.mga4.i586 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: libgcrypt11 KGpg Libreoffice-Writer-PDF export default install of libgcrypt11 & KGpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.3-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.11.4-1.mga4.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. install libgcrypt11 & kgpg from updates_testing [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.4-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.12.5-1.mga4.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Seems ok to me. If nobody has any objections I'll validate this one. Does not seem to be an x86_64 version of this.
(In reply to William Kenney from comment #9) > Does not seem to be an x86_64 version of this. What do you mean by that? Unless a package is noarch, there always is. Remember, library package names on x86_64 always start with lib64 instead of lib (aka lib64gcrypt11 in this case). You need to remember this.
(In reply to David Walser from comment #10) > (In reply to William Kenney from comment #9) > > Does not seem to be an x86_64 version of this. > > What do you mean by that? Unless a package is noarch, there always is. > Remember, library package names on x86_64 always start with lib64 instead of > lib (aka lib64gcrypt11 in this case). You need to remember this. Then why is it not mentioned in the description? Updated packages in core/updates_testing: ======================== libgcrypt11-1.5.4-1.mga3 libgcrypt-devel-1.5.4-1.mga3 libgcrypt11-1.5.4-1.mga4 libgcrypt-devel-1.5.4-1.mga4
William, that's the way they are always listed.
Should not then the Description read as follows: Updated packages in core/updates_testing: ======================== libgcrypt11-1.5.4-1.mga3 libgcrypt-devel-1.5.4-1.mga3 libgcrypt11-1.5.4-1.mga4 libgcrypt-devel-1.5.4-1.mga4 lib64gcrypt11-1.5.4-1.mga3 lib64gcrypt-devel-1.5.4-1.mga3 lib64gcrypt11-1.5.4-1.mga4 lib64gcrypt-devel-1.5.4-1.mga4
No. This is not up for debate.
To elaborate, the way library packages are named in Mageia is something you are expected to know. The package lists posted in the bugs are for your convenience. If that doesn't work for you, please see the RPMs links on the madb page.
In VirtualBox, M3, KDE, 64-bit Package(s) under test: lib64gcrypt11 kgpg Libreoffice-Writer-PDF export default install of lib64gcrypt11 & KGpg [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.3-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. install lib64gcrypt11 from updates_testing [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.4-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.10.5-1.1.mga3.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: lib64gcrypt11 kgpg Libreoffice-Writer-PDF export default install of lib64gcrypt11 & KGpg [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.3-2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.11.4-1.mga4.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. install lib64gcrypt11 from updates_testing [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.4-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi kgpg Package kgpg-4.12.5-1.mga4.x86_64 is already installed kgpg opens and I can manage keys. LibreOffice-Writer exports encrypted pdf files. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Got it now. We gotta be good to go now David.
I appreciate your persistence on this one :o) As long as kgpg was set to use gpg2 (and not gpg as in the comment referenced earlier), then yes these tests should be sufficient.
(In reply to David Walser from comment #19) > I appreciate your persistence on this one :o) As long as kgpg was set to > use gpg2 (and not gpg as in the comment referenced earlier), then yes these > tests should be sufficient. Thanks. Test computer's turned off. I'll take a look at it in the morning so that we can push this before the qa-meeting.
(In reply to David Walser from comment #19) > As long as kgpg was set to > use gpg2 (and not gpg as in the comment referenced earlier), then yes these > tests should be sufficient. I'm trying to find somewhere a reference to using either gpg or gpg2. Opening M3 KGpg ( 2.9.1 ) M4 KGpg ( 2.11.2 ) -> Settings -> Configure KGpg -> GnuPG Settings I'm not finding anything in there referecing a selection between gpg or gpg2. Everything seems to reference "gpg". I guess what you're referring to is KGpg ver 2.x and above correct?
No, in Comment 2 Samuel had linked to this: https://bugs.mageia.org/show_bug.cgi?id=10850#c11 which is where we got the idea to use kgpg in the testing procedure. That linked comment says to make sure that kgpg is using /usr/bin/gpg instead of /usr/bin/gpg2, which is the exact opposite of what we want for testing on this bug (only gpg2 aka gnupg2 uses libgcrypt).
You can verify the library is being used using strace $ strace -o strace.txt kgpg $ grep gcrypt strace.txt It'll show it loading (ends in 3) or not being found. You can cross reference the path it is loading with the package. It should be something like /usr/lib64/libgcrypt.so.11
Hit submit too early.. To cross reference use urpmf.. $ urpmf /usr/lib64/libgcrypt.so.11 lib64gcrypt11:/usr/lib64/libgcrypt.so.11 lib64gcrypt11:/usr/lib64/libgcrypt.so.11.8.2
(In reply to David Walser from comment #22) > .........what we want for testing on > this bug (only gpg2 aka gnupg2 uses libgcrypt). In VirtualBox, M3, KDE, 32-bit Package(s) under test: libgcrypt11 KGpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.3-1.mga3.i586 is already installed Changed KGpg -> Settings -> Configure KGpg -> GnuPG Settings -> Program path -> gpg2 From /bin/gpg to /bin/gpg2 KGpg opens and I can manage keys In VirtualBox, M3, KDE, 64-bit Package(s) under test: lib64gcrypt11 kgpg [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.4-1.mga3.x86_64 is already installed Changed KGpg -> Settings -> Configure KGpg -> GnuPG Settings -> Program path -> gpg2 From /bin/gpg to /bin/gpg2 KGpg opens and I can manage keys In VirtualBox, M4, KDE, 32-bit Package(s) under test: libgcrypt11 KGpg [root@localhost wilcal]# urpmi libgcrypt11 Package libgcrypt11-1.5.4-1.mga4.i586 is already installed Changed KGpg -> Settings -> Configure KGpg -> GnuPG Settings -> Program path -> gpg2 From /bin/gpg to /bin/gpg2 KGpg opens and I can manage keys In VirtualBox, M4, KDE, 64-bit Package(s) under test: lib64gcrypt11 KGpg [root@localhost wilcal]# urpmi lib64gcrypt11 Package lib64gcrypt11-1.5.4-1.mga4.x86_64 is already installed Changed KGpg -> Settings -> Configure KGpg -> GnuPG Settings -> Program path -> gpg2 From /bin/gpg to /bin/gpg2 KGpg opens and I can manage keys
Are we good to go?
Ahh, good that we verified that setting, since the previous tests hadn't been valid. Yes, this one is good to go. Thanks.
(In reply to David Walser from comment #27) > Ahh, good that we verified that setting, since the previous tests hadn't > been valid. Yes, this one is good to go. Thanks. Yipeeeee!!!!!! For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory from comment 0 and comment 1 uploaded.
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0365.html
Status: NEW => RESOLVEDResolution: (none) => FIXED