23210 – libgcrypt new security issue CVE-2018-0495

Bug 23210 - libgcrypt new security issue CVE-2018-0495

Summary: libgcrypt new security issue CVE-2018-0495

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA5-32-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:	23185
Blocks:
	Show dependency tree / graph

Reported:	2018-06-20 23:40 CEST by David Walser
Modified:	2018-07-02 00:18 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	libgcrypt-1.5.4-5.4.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-06-20 23:40:51 CEST

+++ This bug was initially created as a clone of Bug #23185 +++

GnuPG has announced a new security issue in libgcrypt on June 13:
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html

It is fixed upstream in 1.7.10 and 1.8.3.

Jani already updated Cauldron to 1.8.3.

Ubuntu has issued an advisory for this on June 19:
https://usn.ubuntu.com/3689-1/

They have a fix for the 1.5.x branch in Ubuntu 14.04.

Comment 1 Marja Van Waes 2018-06-21 07:55:43 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-06-21 13:42:09 CEST

Thanks Jani!

Advisory:
========================

Updated libgcrypt packages fix security vulnerability:

When libgcrypt uses the private key to create a signature, such as for a TLS or
SSH connection, it inadvertently leaks information through memory caches. An
unprivileged attacker running on the same machine can collect the information
from a few thousand signatures and recover the value of the private ECDSA or
DSA key (CVE-2018-0495).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
========================

Updated packages in core/updates_testing:
========================
libgcrypt11-1.5.4-5.5.mga5
libgcrypt-devel-1.5.4-5.5.mga5

from libgcrypt-1.5.4-5.5.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2018-06-22 15:47:57 CEST

MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Followed testing as bug 17742 Comment 4
$ gpg2 --list-keys
nothing found
$ gpg --gen-key 
Real name hviaene , etc.....
$ gpg2 --list-keys ( works )
$ gpg2 -e -r hviaene foo.diff
generates file foo.diff.gpg
rename foo.diff to foo.diff.orig
$ gpg2 foo.diff.gpg
generates file foo.diff, contents OK
$ gpg2 --delete-secret-keys hviaene
answering y on questions works OK
$ gpg2 --delete-key hviaene
idem
$ gpg2 --list-keys
nothing found
Seems good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 4 claire robinson 2018-06-24 21:47:45 CEST

Validating. Advisoried.

Keywords: (none) => advisory, has_procedure, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-07-02 00:18:37 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0306.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.