Bug 29467 - libgcrypt new security issue CVE-2021-40528
Summary: libgcrypt new security issue CVE-2021-40528
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-09-16 22:01 CEST by David Walser
Modified: 2021-09-29 19:24 CEST (History)
5 users (show)

See Also:
Source RPM: libgcrypt-1.8.7-1.1.mga8.src.rpm
CVE: CVE-2021-40528
Status comment:

Attachments
A basic c program calling the library (2.72 KB, text/x-csrc)
2021-09-24 03:52 CEST, Brian Rockwell 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-09-16 22:01:55 CEST 
Ubuntu has issued an advisory today (September 16):
https://ubuntu.com/security/notices/USN-5080-1

The issue is fixed upstream in 1.9.4.

Mageia 8 is also affected.

We fixed the other CVE in their advisory in Bug 29162, but given their notes on this new CVE, we should make sure that we got the right commits last time.
David Walser 2021-09-16 22:02:12 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 1.9.4
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2021-09-16 22:05:07 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-09-20 13:38:12 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. (CVE-2021-40528)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528
https://ubuntu.com/security/notices/USN-5080-1
========================

Updated packages in core/updates_testing:
========================
lib(64)gcrypt-devel-1.8.7-1.2.mga8
lib(64)gcrypt20-1.8.7-1.2.mga8

from SRPM:
libgcrypt-1.8.7-1.2.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: libgcrypt-1.9.3-1.mga9.src.rpm => libgcrypt-1.8.7-1.1.mga8.src.rpm
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-40528
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.9.4 => (none)

Comment 3 Brian Rockwell 2021-09-24 03:52:47 CEST 
Created attachment 12932 [details]
A basic c program calling the library

Basic C program:

to compile: gcc arcfour.c -o arcfour -lgcrypt -lgpg-error

to execute:  ./arcfour

Acquired the code from:  https://cboard.cprogramming.com/c-programming/105743-how-decrypt-encrypt-using-libgcrypt-arc4.html

CC: (none) => brtians1

Comment 4 Brian Rockwell 2021-09-24 03:56:01 CEST 
MGA8-64, Plasma

$ hmac256 "akeyblahblah" <afile>

it worked


$ dumpsexp < test.txt

it worked

Compiled and executed the program attached.

this library works as far as I can tell.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-09-27 14:09:32 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-09-29 17:53:36 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-09-29 19:24:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0446.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.