Bug 21178 - libgcrypt new security issue CVE-2017-7526
Summary: libgcrypt new security issue CVE-2017-7526
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Reported: 2017-07-03 12:06 CEST by David Walser
Modified: 2017-07-22 11:45 CEST (History)
4 users (show)

See Also:
Source RPM: libgcrypt-1.7.7-1.mga6.src.rpm
Status comment:


Description David Walser 2017-07-03 12:06:18 CEST
Debian has issued an advisory on July 2:

The issue is fixed upstream in 1.7.8:
Comment 1 David Walser 2017-07-03 21:44:06 CEST
Fixed in libgcrypt-1.7.8-1.mga6.
Comment 2 David Walser 2017-07-06 16:31:03 CEST
gnupg may be vulnerable to this (there's a proposed fix) and libgcrypt in Mageia 5 may be affected (we'll have to see if the commit to fix it can be applied):
Comment 3 David Walser 2017-07-07 04:21:30 CEST
Debian's patches jessie apply to our Mageia 5 package.  One of their two patches for CVE-2017-9526 (Bug 21092) does as well (and the other may if the correct source file to apply it to is found), so this needs to be re-opened.
Comment 4 David Walser 2017-07-07 04:30:48 CEST
Indeed, Ubuntu has issued an advisory for both CVEs on July 3:

They have patches for 1.5.3 for Ubuntu 14.04.
Comment 5 Marja van Waes 2017-07-07 13:45:14 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Comment 6 David Walser 2017-07-08 20:17:24 CEST
Patched package uploaded for Mageia 5.


Updated libgcrypt packages fix security vulnerability:

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and
Yuval Yarom discovered that Libgcrypt was susceptible to an attack via
side channels. A local attacker could use this attack to recover RSA
private keys (CVE-2017-7526).


Updated packages in core/updates_testing:

from libgcrypt-1.5.4-5.4.mga5.src.rpm
Comment 7 Herman Viaene 2017-07-17 16:45:34 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Found fsarchiver to be dependent on it.
Used fsarchiver to backup a partition with encryption and checked with strace: libgcrypt called a lot.
Comment 8 Lewis Smith 2017-07-22 10:51:30 CEST
Testing M5 x64 real hardware
After update to: lib64gcrypt11-1.5.4-5.4.mga5

The library is used by a lot of applications, shown by:
 $ urpmq --whatrequires lib64gcrypt11 | sort | uniq | grep -v lib
I chose gnupg2 and used (thanks yet again Claire) the 1st part of the procedure given in:
which I repeat below using gpg2 (pkg gnupg2), and with some extra comments.
(Confusion: I accidentally had 2 keys with essentially identical paramaters, the first done with gpg; hence >1 date. I restricted the -list-keys output shown to just 1 key)
Every command via 'strace' showed that the library was opened:
 open("/lib64/libgcrypt.so.11", O_RDONLY|O_CLOEXEC) = 3

 $ gpg2 --gen-key
takes a *long time* and asks a lot of questions.
You selected this USER-ID:
    "lewis (<comment>) <e-mail>"
Ambiguity over userID: required in later commands, just the 'real name' seems to suffice. (I used lewis).
[I got, with the pop-up box to input a passphrase:
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!]
NOTE the USER-ID and PASSPHRASE for later use!

 $ gpg2 --list-keys
pub   1024R/34BBE7CB 2017-07-22
uid       [ultimate] lewis (<comment>) <e-mail>
sub   1024R/1FB24A0E 2017-07-22

 $ echo "test test test" > test.txt
 $ cat test.txt 
test test test

 $ gpg2 -e -r lewis test.txt                   [encrypt the file]
-e = encrypt; -r = user name.

 $ ls
test.txt test.txt.gpg
 $ rm test.txt                                [so no ambiguity later]

 $ gpg2 test.txt.gpg                            [decrypt the file]
You need a passphrase to unlock the secret key for
user: "lewis (<comment>) <e-mail>"
1024-bit RSA key, ID 180D7E31, created 2017-07-21 (main key ID D2D8E0DD)
[I again got:
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!]
gpg: encrypted with 1024-bit RSA key, ID 180D7E31, created 2017-07-21
      "lewis (<comment>) <e-mail>"

 $ ls
test.txt test.txt.gpg
 $ cat test.txt
test test test
 $ rm test*                          [tidy up]

 $ gpg2 --delete-secret-keys lewis
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

 $ gpg2 --delete-key lewis
Delete this key from the keyring? (y/N) y

 $ gpg2 --list-keys | grep lewis          [check it has gone]

All this works as described, so OKing the update. Also validating it.
Comment 9 Mageia Robot 2017-07-22 11:45:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Note You need to log in before you can comment on or make changes to this bug.