Debian has issued an advisory on July 2: https://www.debian.org/security/2017/dsa-3901 The issue is fixed upstream in 1.7.8: https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
Fixed in libgcrypt-1.7.8-1.mga6.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
gnupg may be vulnerable to this (there's a proposed fix) and libgcrypt in Mageia 5 may be affected (we'll have to see if the commit to fix it can be applied): http://openwall.com/lists/oss-security/2017/07/06/8
Debian's patches jessie apply to our Mageia 5 package. One of their two patches for CVE-2017-9526 (Bug 21092) does as well (and the other may if the correct source file to apply it to is found), so this needs to be re-opened.
Blocks: (none) => 21092
Indeed, Ubuntu has issued an advisory for both CVEs on July 3: https://www.ubuntu.com/usn/usn-3347-1/ They have patches for 1.5.3 for Ubuntu 14.04.
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
Version: Cauldron => 5
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Blocks: 21092 => (none)
Patched package uploaded for Mageia 5. Advisory: ======================== Updated libgcrypt packages fix security vulnerability: Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover RSA private keys (CVE-2017-7526). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526 https://www.ubuntu.com/usn/usn-3347-1/ ======================== Updated packages in core/updates_testing: ======================== libgcrypt11-1.5.4-5.4.mga5 libgcrypt-devel-1.5.4-5.4.mga5 from libgcrypt-1.5.4-5.4.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA5-32 on Asus A6000VM Xfce No installation issues. Found fsarchiver to be dependent on it. Used fsarchiver to backup a partition with encryption and checked with strace: libgcrypt called a lot.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
Testing M5 x64 real hardware After update to: lib64gcrypt11-1.5.4-5.4.mga5 The library is used by a lot of applications, shown by: $ urpmq --whatrequires lib64gcrypt11 | sort | uniq | grep -v lib I chose gnupg2 and used (thanks yet again Claire) the 1st part of the procedure given in: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 which I repeat below using gpg2 (pkg gnupg2), and with some extra comments. (Confusion: I accidentally had 2 keys with essentially identical paramaters, the first done with gpg; hence >1 date. I restricted the -list-keys output shown to just 1 key) Every command via 'strace' showed that the library was opened: open("/lib64/libgcrypt.so.11", O_RDONLY|O_CLOEXEC) = 3 $ gpg2 --gen-key takes a *long time* and asks a lot of questions. ... You selected this USER-ID: "lewis (<comment>) <e-mail>" Ambiguity over userID: required in later commands, just the 'real name' seems to suffice. (I used lewis). [I got, with the pop-up box to input a passphrase: gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!] NOTE the USER-ID and PASSPHRASE for later use! $ gpg2 --list-keys /home/lewis/.gnupg/pubring.gpg ------------------------------ pub 1024R/34BBE7CB 2017-07-22 uid [ultimate] lewis (<comment>) <e-mail> sub 1024R/1FB24A0E 2017-07-22 $ echo "test test test" > test.txt $ cat test.txt test test test $ gpg2 -e -r lewis test.txt [encrypt the file] -e = encrypt; -r = user name. $ ls test.txt test.txt.gpg $ rm test.txt [so no ambiguity later] $ gpg2 test.txt.gpg [decrypt the file] You need a passphrase to unlock the secret key for user: "lewis (<comment>) <e-mail>" 1024-bit RSA key, ID 180D7E31, created 2017-07-21 (main key ID D2D8E0DD) [I again got: gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent. gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!] gpg: encrypted with 1024-bit RSA key, ID 180D7E31, created 2017-07-21 "lewis (<comment>) <e-mail>" $ ls test.txt test.txt.gpg $ cat test.txt test test test $ rm test* [tidy up] $ gpg2 --delete-secret-keys lewis ... Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y $ gpg2 --delete-key lewis ... Delete this key from the keyring? (y/N) y $ gpg2 --list-keys | grep lewis [check it has gone] $ All this works as described, so OKing the update. Also validating it.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0213.html
Status: REOPENED => RESOLVEDResolution: (none) => FIXED