Bug 19206 - gnupg, libgcrypt new security issue CVE-2016-6313
Summary: gnupg, libgcrypt new security issue CVE-2016-6313
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/697568/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-08-17 19:56 CEST by David Walser
Modified: 2016-08-31 17:34 CEST (History)
2 users (show)

See Also:
Source RPM: libgcrypt, gnupg
CVE:
Status comment:


Attachments

Description David Walser 2016-08-17 19:56:38 CEST
GnuPG has released new libgcrypt and gnupg versions today (August 17):
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

The CVE was incorrect in the announcement:
http://openwall.com/lists/oss-security/2016/08/17/8

For Mageia 5, we aren't using libgcrypt 1.7.x and we are still on gnupg 1.4.19, and I'm not sure we want all of the changes in 1.4.20:
https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html

So ideally we'd patch both of those.

Freeze push requested already for Cauldron (should be built soon).
Comment 1 David Walser 2016-08-18 19:00:22 CEST
Debian has issued advisories for this on August 17:
https://www.debian.org/security/2016/dsa-3650
https://www.debian.org/security/2016/dsa-3649

Patched packages uploaded for Mageia 5.

Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=15441#c2

Advisory:
========================

Updated gnupg and libgcrypt packages fixes security vulnerability:

Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology
discovered a flaw in the mixing functions of GnuPG's random number generator.
An attacker who obtains 4640 bits from the RNG can trivially predict the next
160 bits of output (CVE-2016-6313).

The gnupg package has been patched to correct these issues.

GnuPG2 is vulnerable to these issues through the libgcrypt library.  The
libgcrypt package has also been patched to correct this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
https://www.debian.org/security/2016/dsa-3649
https://www.debian.org/security/2016/dsa-3650
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.19-1.2.mga5
libgcrypt11-1.5.4-5.3.mga5
libgcrypt-devel-1.5.4-5.3.mga5

from SRPMS:
gnupg-1.4.19-1.2.mga5.src.rpm
libgcrypt-1.5.4-5.3.mga5.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/697568/
Assignee: bugsquad => qa-bugs
Summary: libgcrypt, gnupg new security issue CVE-2016-6313 => gnupg, libgcrypt new security issue CVE-2016-6313

David Walser 2016-08-18 19:00:33 CEST

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-08-20 20:01:54 CEST
Tested both gpg and gpg2 using the first half of Claire's procedure here:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3

Testing complete Mageia 5 i586 and x86_64.

Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-08-26 00:58:39 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-08-31 17:34:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0292.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.