Bug 21178 - libgcrypt new security issue CVE-2017-7526
Summary: libgcrypt new security issue CVE-2017-7526
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-03 12:06 CEST by David Walser
Modified: 2017-07-22 11:45 CEST (History)
4 users (show)

See Also:
Source RPM: libgcrypt-1.7.7-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-03 12:06:18 CEST
Debian has issued an advisory on July 2:
https://www.debian.org/security/2017/dsa-3901

The issue is fixed upstream in 1.7.8:
https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
Comment 1 David Walser 2017-07-03 21:44:06 CEST
Fixed in libgcrypt-1.7.8-1.mga6.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 2 David Walser 2017-07-06 16:31:03 CEST
gnupg may be vulnerable to this (there's a proposed fix) and libgcrypt in Mageia 5 may be affected (we'll have to see if the commit to fix it can be applied):
http://openwall.com/lists/oss-security/2017/07/06/8
Comment 3 David Walser 2017-07-07 04:21:30 CEST
Debian's patches jessie apply to our Mageia 5 package.  One of their two patches for CVE-2017-9526 (Bug 21092) does as well (and the other may if the correct source file to apply it to is found), so this needs to be re-opened.

Blocks: (none) => 21092

Comment 4 David Walser 2017-07-07 04:30:48 CEST
Indeed, Ubuntu has issued an advisory for both CVEs on July 3:
https://www.ubuntu.com/usn/usn-3347-1/

They have patches for 1.5.3 for Ubuntu 14.04.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

David Walser 2017-07-07 12:04:42 CEST

Version: Cauldron => 5

Comment 5 Marja van Waes 2017-07-07 13:45:14 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2017-07-08 20:09:28 CEST

Blocks: 21092 => (none)

Comment 6 David Walser 2017-07-08 20:17:24 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated libgcrypt packages fix security vulnerability:

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and
Yuval Yarom discovered that Libgcrypt was susceptible to an attack via
side channels. A local attacker could use this attack to recover RSA
private keys (CVE-2017-7526).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526
https://www.ubuntu.com/usn/usn-3347-1/
========================

Updated packages in core/updates_testing:
========================
libgcrypt11-1.5.4-5.4.mga5
libgcrypt-devel-1.5.4-5.4.mga5

from libgcrypt-1.5.4-5.4.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 7 Herman Viaene 2017-07-17 16:45:34 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Found fsarchiver to be dependent on it.
Used fsarchiver to backup a partition with encryption and checked with strace: libgcrypt called a lot.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2017-07-21 12:48:43 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 8 Lewis Smith 2017-07-22 10:51:30 CEST
Testing M5 x64 real hardware
After update to: lib64gcrypt11-1.5.4-5.4.mga5

The library is used by a lot of applications, shown by:
 $ urpmq --whatrequires lib64gcrypt11 | sort | uniq | grep -v lib
I chose gnupg2 and used (thanks yet again Claire) the 1st part of the procedure given in:
 https://bugs.mageia.org/show_bug.cgi?id=11306#c3
which I repeat below using gpg2 (pkg gnupg2), and with some extra comments.
(Confusion: I accidentally had 2 keys with essentially identical paramaters, the first done with gpg; hence >1 date. I restricted the -list-keys output shown to just 1 key)
Every command via 'strace' showed that the library was opened:
 open("/lib64/libgcrypt.so.11", O_RDONLY|O_CLOEXEC) = 3

 $ gpg2 --gen-key
takes a *long time* and asks a lot of questions.
...
You selected this USER-ID:
    "lewis (<comment>) <e-mail>"
Ambiguity over userID: required in later commands, just the 'real name' seems to suffice. (I used lewis).
[I got, with the pop-up box to input a passphrase:
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!]
NOTE the USER-ID and PASSPHRASE for later use!

 $ gpg2 --list-keys
/home/lewis/.gnupg/pubring.gpg
------------------------------
pub   1024R/34BBE7CB 2017-07-22
uid       [ultimate] lewis (<comment>) <e-mail>
sub   1024R/1FB24A0E 2017-07-22

 $ echo "test test test" > test.txt
 $ cat test.txt 
test test test

 $ gpg2 -e -r lewis test.txt                   [encrypt the file]
-e = encrypt; -r = user name.

 $ ls
test.txt test.txt.gpg
 $ rm test.txt                                [so no ambiguity later]

 $ gpg2 test.txt.gpg                            [decrypt the file]
You need a passphrase to unlock the secret key for
user: "lewis (<comment>) <e-mail>"
1024-bit RSA key, ID 180D7E31, created 2017-07-21 (main key ID D2D8E0DD)
[I again got:
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!]
gpg: encrypted with 1024-bit RSA key, ID 180D7E31, created 2017-07-21
      "lewis (<comment>) <e-mail>"

 $ ls
test.txt test.txt.gpg
 $ cat test.txt
test test test
 $ rm test*                          [tidy up]

 $ gpg2 --delete-secret-keys lewis
...
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

 $ gpg2 --delete-key lewis
...
Delete this key from the keyring? (y/N) y

 $ gpg2 --list-keys | grep lewis          [check it has gone]
 $

All this works as described, so OKing the update. Also validating it.

Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2017-07-22 11:45:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0213.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.