GnuPG has announced a new security issue in libgcrypt on June 13: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html It is fixed upstream in 1.7.10 and 1.8.3. Jani already updated Cauldron to 1.8.3. I'm not sure if Mageia 5 is also affected (1.5.4).
CC: (none) => jani.valimaa
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing Mike
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, mrambo
Download links for 1.7.10 in upstream's announce aren't working. :\ Seems that the tarballs aren't available in mirrors at all. Fetched the tarball from unofficial github mirror and pushed 1.7.10 to core/updates_testing for mga6. I had to to add also some extra BRs as sources from github doesn't include configure script and generated docs.
Assignee: pkg-bugs => qa-bugs
Thanks Jani! Advisory: ======================== Updated libgcrypt packages fix security vulnerability: When libgcrypt uses the private key to create a signature, such as for a TLS or SSH connection, it inadvertently leaks information through memory caches. An unprivileged attacker running on the same machine can collect the information from a few thousand signatures and recover the value of the private ECDSA or DSA key (CVE-2018-0495). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ ======================== Updated packages in core/updates_testing: ======================== libgcrypt20-1.7.10-1.mga6 libgcrypt-devel-1.7.10-1.mga6 from libgcrypt-1.7.10-1.mga6.src.rpm
Blocks: (none) => 23210
Installed fine in mga6-64. I cannot ID any apps that actually dynamically use this library. What's the command?
CC: (none) => brtians1
Use any or several of these Brian. You can use strace to veriy the lib is loaded without error. eg. $ strace -o strace.txt abiword Then inspect strace.txt when abiword closes. I think David might be able to add some trace options to make that part easier. $ urpmq --whatrequires lib64gcrypt20 | uniq abiword amarok bitlbee chntpw clamz crda cryptmount firefox-garminplugin frogr fsarchiver gnome-keyring gnupg2 gq gvfs irssi-otr keepassx2 kwallet-pam lib64aacs0 lib64afpclient0 lib64ccrtp3 lib64cryptsetup4 lib64dar5000 lib64freeipmi16 lib64freetds0 lib64freetds0-unixodbc lib64gcr-base3_1 lib64gcr-ui3_1 lib64gcrypt-devel lib64gcrypt20 lib64gnome-keyring0 lib64gvnc1.0_0 lib64gwenhywfar60 lib64isds5 lib64kf5torrent6 lib64kf5walletbackend55 lib64ktorrent6 lib64kwalletbackend4 lib64microhttpd12 lib64mtp9 lib64opencdk10 lib64openvas8 lib64otr5 lib64prelude23 lib64quvi0.9_0.9.4 lib64rasqal3 lib64secret1_0 lib64ssh4 lib64systemd0 lib64totem-plparser18 lib64vncserver1 lib64webkit2gtk4.0_37 lib64wireshark8 lib64wiretap6 lib64wscodecs1 lib64wsutil7 lib64xmlsec1-gcrypt1 lib64xmlsec1-gnutls1 lib64xplayer-plparser18 lib64xslt1 libgda5.0 libiscsi libotr-utils lightdm netatalk ntfs-3g openscap openvas-libraries openvas-scanner pam-pgsql pidgin-otr pokerth pokerth-server prelude-lml prelude-manager prelude-tools purple-telegram qca-qt5 qca2-plugin-gcrypt qt5-fsarchiver remmina rsyslog-crypto systemd systemd-units telepathy-kde-common-internals-core vino vlc-plugin-common vpnc webkit2 weechat wireshark-tools xfce4-mailwatch-plugin
$ uname -a Linux localhost 4.14.50-desktop-2.mga6 #1 SMP Mon Jun 18 13:19:12 UTC 2018 i686 i686 i686 GNU/Linux Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 4 packages are going to be installed: - libgcrypt-devel-1.7.10-1.mga6.i586 - libgcrypt20-1.7.10-1.mga6.i586 - libgpg-error-devel-1.24-1.mga6.i586 - perl-URPM-5.12.2-1.mga6.i586 402KB of additional disk space will be used. 685KB of packages will be retrieved. Is it ok to continue? --- I ran two functions in gpg2 $ gpg2 --quick-generate-key <username> it genereated the key $ gpg2 -s (which means sign a message). I ran through that, it asked for the passphrase to my new key and it signed the message. Seems to be working as designed.
Whiteboard: (none) => MGA6-32-OK
# uname -a Linux localhost 4.14.50-desktop-2.mga6 #1 SMP Mon Jun 18 11:23:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux I installed the crypt libraries for 64bit, both dev and crypt20. installed fsarchiver - uses the library I then did some heavy lifting by archiving a /dev/sda1 file system in a VBOX machine using encryption. # fsarchiver savefs -A -c brianmageia6 mga64arch.fsa /dev/sda1 This chugged for a long time and finally completed, generating a hefty file. Reported back successful. This side (heavy encryption work) completed successfully. -rwxrwx--- 1 root vboxsf 2648840710 Jun 28 13:03 mga64arch.fsa
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0301.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED