Ubuntu has issued an advisory today (September 16): https://ubuntu.com/security/notices/USN-5080-1 The issue is fixed upstream in 1.9.4. Mageia 8 is also affected. We fixed the other CVE in their advisory in Bug 29162, but given their notes on this new CVE, we should make sure that we got the right commits last time.
CC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 1.9.4Whiteboard: (none) => MGA8TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. (CVE-2021-40528) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528 https://ubuntu.com/security/notices/USN-5080-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)gcrypt-devel-1.8.7-1.2.mga8 lib(64)gcrypt20-1.8.7-1.2.mga8 from SRPM: libgcrypt-1.8.7-1.2.mga8.src.rpm
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Source RPM: libgcrypt-1.9.3-1.mga9.src.rpm => libgcrypt-1.8.7-1.1.mga8.src.rpmStatus: NEW => ASSIGNEDCVE: (none) => CVE-2021-40528Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 1.9.4 => (none)
Created attachment 12932 [details] A basic c program calling the library Basic C program: to compile: gcc arcfour.c -o arcfour -lgcrypt -lgpg-error to execute: ./arcfour Acquired the code from: https://cboard.cprogramming.com/c-programming/105743-how-decrypt-encrypt-using-libgcrypt-arc4.html
CC: (none) => brtians1
MGA8-64, Plasma $ hmac256 "akeyblahblah" <afile> it worked $ dumpsexp < test.txt it worked Compiled and executed the program attached. this library works as far as I can tell.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0446.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED