Bug 15441 - gnupg, libgcrypt new security issues CVE-2014-3591 and CVE-2015-0837
Summary: gnupg, libgcrypt new security issues CVE-2014-3591 and CVE-2015-0837
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/635765/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-06 23:12 CET by David Walser
Modified: 2015-03-10 17:49 CET (History)
3 users (show)

See Also:
Source RPM: gnupg, libgcrypt
CVE:
Status comment:


Attachments

Description David Walser 2015-03-06 23:12:19 CET
Fedora has issued an advisory on March 1:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/150931.html

CVE-2014-3591 is fixed in gnupg 1.4.19 and libgcrypt 1.6.3, as well as in an upstream patch in the libgcrypt 1.5 branch.

CVE-2015-0837 is fixed in gnupg 1.4.19 and libgcrypt 1.6.3, but does not affect libgcrypt 1.5 (which we have).

Updated and patched packages checked into Mageia 4 and Cauldron SVN.

Freeze pushes requested for Cauldron.

See also the gnupg 1.4.19 release announcement:
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-06 23:12:33 CET

Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-03-07 17:22:54 CET
Updated packages uploaded for Cauldron.

Patched packages uploaded for Mageia 4.

Advisory:
========================

Updated gnupg and libgcrypt packages fixes security vulnerabilities:

GnuPG before 1.4.19 is vulnerable to a side-channel attack which can
potentially lead to an information leak (CVE-2014-3591).

GnuPG before 1.4.19 is vulnerable to a side-channel attack on data-dependent
timing variations in modular exponentiation, which can potentially lead to an
information leak (CVE-2015-0837).

The gnupg package has been patched to correct these issues.

GnuPG2 is vulnerable to these issues through the libgcrypt library.  The
issues were fixed in libgcrypt 1.6.3.  The libgcrypt package in Mageia,
at version 1.5.4, was only vulnerable to the CVE-2014-3591 issue.  It has
also been patched to correct this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/150931.html
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.16-1.2.mga4
libgcrypt11-1.5.4-1.1.mga4
libgcrypt-devel-1.5.4-1.1.mga4

from SRPMS:
gnupg-1.4.16-1.2.mga4.src.rpm
libgcrypt-1.5.4-1.1.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 2 David Walser 2015-03-07 20:59:34 CET
Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3
https://bugs.mageia.org/show_bug.cgi?id=10850#c11

Use the "gpg" command to test gnupg.  Replace "gpg" with "gpg2" to test gnupg2.

There's also a PoC for CVE-2014-3591, not that I expect anyone to try it :o)
http://www.cs.tau.ac.il/~tromer/radioexp/

Whiteboard: (none) => has_procedure

Comment 3 David Walser 2015-03-07 21:45:00 CET
Tested both gpg and gpg2 using the first half of Claire's procedure here:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3

I found this neat trick for speeding up the key generation, because it was taking forever and not completing (working over SSH didn't help):
http://it.toolbox.com/blogs/lim/how-to-generate-enough-entropy-for-gpg-key-generation-process-on-fedora-linux-38022

Testing complete Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 4 olivier charles 2015-03-09 22:39:47 CET
Testing on Mageia 4x64 real hardware following Claire's procedure mentioned in Comment 2

From current packages :
---------------------
gnupg-1.4.16-1.1.mga4
lib64gcrypt11-1.5.4-1.mga4

To updated testing packages :
----------------------------
gnupg-1.4.16-1.2.mga4
lib64gcrypt11-1.5.4-1.1.mga4

With gpg and gpg2

All OK

CC: (none) => olchal
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 5 Rémi Verschelde 2015-03-10 10:10:38 CET
Advisory uploaded, validating. Please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2015-03-10 17:49:08 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0104.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.