The Elgamal side-channel issue that we just fixed in libgcrypt (Bug 13904) also affects gnupg before version 1.4.16 (i.e., only Mageia 3 is affected). Ubuntu has issued an advisory for this on September 3: http://www.ubuntu.com/usn/usn-2339-1/ Patched package uploaded for Mageia 3. The same testing procedure can be used again for this one: https://bugs.mageia.org/show_bug.cgi?id=10850#c11 This time you'll want kgpg configured to use gpg and not gpg2. Advisory: ======================== Updated gnupg packages fix security vulnerability: The gnupg program before version 1.4.16 is vulnerable to an ELGAMAL side-channel attack (CVE-2014-5270). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270 http://www.ubuntu.com/usn/usn-2339-1/ ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.14-1.4.mga3 from gnupg-1.4.14-1.4.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => has_procedure
Gimme a couple days on this. I'm working on a refinement of Claires testing at: https://bugs.mageia.org/show_bug.cgi?id=11306#c3
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 32-bit Package(s) under test: gnupg default install of gnupg Just for drill I removed gnupg2 [root@localhost test]# urpmi gnupg Package gnupg-1.4.14-1.3.mga3.i586 is already installed Create /home/wilcal/test As a user in /home/wilcal/test [wilcal@localhost test]$ gpg --gen-key Generate key using Real name: wilcal / e-mail: wilcal@test.com Passphrase: U&4w_\,Ol$#qP3_bKH:Hd~7p9'F(!!1N*cS43z>/SD195`4r8]&VYZ*/x?~7Pjn Goes through the long process to create a key. Create a simple text file /home/wilcal/test/test.txt encyrpt test.txt a simple local file using passphrase gpg --output test.encrypted.gpg --symmetric test.txt creates: test.encrypted.gpg decrypt test.encrypted.gpg using passphrase gpg --output test.decrypted.txt --decrypt test.encrypted.gpg test.decrypted.txt is the same as test.txt test.encrypted.gpg & test.decrypted.txt can be erased install gnupg from updates_testing [root@localhost wilcal]# urpmi gnupg Package gnupg-1.4.14-1.4.mga3.i586 is already installed As a user in /home/wilcal/test [wilcal@localhost test]$ gpg --gen-key Generate key using Real name: wilcal / e-mail: wilcal@test.com Passphrase: aqf4*KuJ5)/7x'UGMkzTeuHLAOc.GBF]kjt\ZjeES-KQlUdwOib$s~FbkX,S^+y Goes through the long process to create a key. Create /home/wilcal/test/test.txt encyrpt test.txt a simple local file using passphrase gpg --output test.encrypted.gpg --symmetric test.txt creates: test.encrypted.gpg decrypt test.encrypted.gpg using passphrase gpg --output test.decrypted.txt --decrypt test.encrypted.gpg test.decrypted.txt is the same as test.txt test.encrypted.gpg & test.decrypted.txt can be erased Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: has_procedure => has_procedure MGA3-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: gnupg default install of gnupg Just for drill I removed gnupg2 [root@localhost wilcal]# urpmi gnupg Package gnupg-1.4.14-1.3.mga3.x86_64 is already installed Create /home/wilcal/test As a user in /home/wilcal/test [wilcal@localhost test]$ gpg --gen-key Generate key using Real name: wilcal / e-mail: wilcal@test.com Passphrase: U&4w_\,Ol$#qP3_bKH:Hd~7p9'F(!!1N*cS43z>/SD195`4r8]&VYZ*/x?~7Pjn Goes through the long process to create a key. Create a simple text file /home/wilcal/test/test.txt encyrpt test.txt a simple local file using passphrase gpg --output test.encrypted.gpg --symmetric test.txt creates: test.encrypted.gpg decrypt test.encrypted.gpg using passphrase gpg --output test.decrypted.txt --decrypt test.encrypted.gpg test.decrypted.txt is the same as test.txt test.encrypted.gpg & test.decrypted.txt can be erased install gnupg from updates_testing [root@localhost wilcal]# urpmi gnupg Package gnupg-1.4.14-1.4.mga3.x86_64 is already installed As a user in /home/wilcal/test [wilcal@localhost test]$ gpg --gen-key Generate key using Real name: wilcal / e-mail: wilcal@test.com Passphrase: aqf4*KuJ5)/7x'UGMkzTeuHLAOc.GBF]kjt\ZjeES-KQlUdwOib$s~FbkX,S^+y Goes through the long process to create a key. Create /home/wilcal/test/test.txt encyrpt test.txt a simple local file using passphrase gpg --output test.encrypted.gpg --symmetric test.txt creates: test.encrypted.gpg decrypt test.encrypted.gpg using passphrase gpg --output test.decrypted.txt --decrypt test.encrypted.gpg test.decrypted.txt is the same as test.txt test.encrypted.gpg & test.decrypted.txt can be erased Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: has_procedure MGA3-32-OK => has_procedure MGA3-32-OK MGA3-64-OK
For me this update works fine. We could do lots more but I'm conviced this update installed correctly. Testing complete for mga3 32-bit & 64-bit I will validate this update in 24-hours unless someone else wants to do more testing.
validating, still needs advisory to be uploaded though
Keywords: (none) => validated_updateCC: (none) => stormi, sysadmin-bugs
advisory uploaded.
Whiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure advisory MGA3-32-OK MGA3-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0381.html
Status: NEW => RESOLVEDResolution: (none) => FIXED