19206 – gnupg, libgcrypt new security issue CVE-2016-6313

Bug 19206 - gnupg, libgcrypt new security issue CVE-2016-6313

Summary: gnupg, libgcrypt new security issue CVE-2016-6313

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/697568/
Whiteboard:	has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-08-17 19:56 CEST by David Walser
Modified:	2016-08-31 17:34 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libgcrypt, gnupg
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-08-17 19:56:38 CEST

GnuPG has released new libgcrypt and gnupg versions today (August 17):
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

The CVE was incorrect in the announcement:
http://openwall.com/lists/oss-security/2016/08/17/8

For Mageia 5, we aren't using libgcrypt 1.7.x and we are still on gnupg 1.4.19, and I'm not sure we want all of the changes in 1.4.20:
https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html

So ideally we'd patch both of those.

Freeze push requested already for Cauldron (should be built soon).

Comment 1 David Walser 2016-08-18 19:00:22 CEST

Debian has issued advisories for this on August 17:
https://www.debian.org/security/2016/dsa-3650
https://www.debian.org/security/2016/dsa-3649

Patched packages uploaded for Mageia 5.

Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=15441#c2

Advisory:
========================

Updated gnupg and libgcrypt packages fixes security vulnerability:

Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology
discovered a flaw in the mixing functions of GnuPG's random number generator.
An attacker who obtains 4640 bits from the RNG can trivially predict the next
160 bits of output (CVE-2016-6313).

The gnupg package has been patched to correct these issues.

GnuPG2 is vulnerable to these issues through the libgcrypt library.  The
libgcrypt package has also been patched to correct this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
https://www.debian.org/security/2016/dsa-3649
https://www.debian.org/security/2016/dsa-3650
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.19-1.2.mga5
libgcrypt11-1.5.4-5.3.mga5
libgcrypt-devel-1.5.4-5.3.mga5

from SRPMS:
gnupg-1.4.19-1.2.mga5.src.rpm
libgcrypt-1.5.4-5.3.mga5.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/697568/
Assignee: bugsquad => qa-bugs
Summary: libgcrypt, gnupg new security issue CVE-2016-6313 => gnupg, libgcrypt new security issue CVE-2016-6313

David Walser 2016-08-18 19:00:33 CEST

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-08-20 20:01:54 CEST

Tested both gpg and gpg2 using the first half of Claire's procedure here:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3

Testing complete Mageia 5 i586 and x86_64.

Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-08-26 00:58:39 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-08-31 17:34:01 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0292.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.