Bug 831359 (CVE-2013-4242) - VUL-0: CVE-2013-4242: gpg libgcrypt: GnuPG 1.4.14 / libcrypt 1.5.3 for gpg2 mitigate Yarom/Falkner flush+reload side-channel attach on RSA secret keys
Summary: VUL-0: CVE-2013-4242: gpg libgcrypt: GnuPG 1.4.14 / libcrypt 1.5.3 for gpg2 m...
Status: RESOLVED FIXED
: 876580 (view as bug list)
Alias: CVE-2013-4242
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All openSUSE 12.3
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-04-24
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sles9-sp3-teradata:538...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-25 11:42 UTC by Andreas Stieger
Modified: 2016-11-29 14:01 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2013-07-25 11:42:47 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0

From http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html

Noteworthy changes in version 1.5.3:

 * Mitigate the Yarom/Falkner flush+reload side-channel attack on
   RSA secret keys.  See <http://eprint.iacr.org/2013/448>.

[ Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes
  the above problem.  The fix for GnuPG < 2.0 can be found in the just
  released GnuPG 1.4.14. ]


also for gpg (1).. SLE?
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Marcus Meissner 2013-07-25 13:23:38 UTC 
yes, likely.

also via oss-sec

http://comments.gmane.org/gmane.comp.security.oss.general/10708
Comment 2 Andreas Stieger 2013-07-25 20:56:18 UTC 
Relating to the strategy for libgcrypt for openSUSE 12.2 and 12.3... 
do 1.5.0 + patch or go for 1.5.3?
Comment 3 Swamp Workflow Management 2013-07-25 22:00:21 UTC 
bugbot adjusting priority
Comment 4 Andreas Stieger 2013-07-26 07:54:42 UTC 
No CVE assigment yet. Maintenance request tor libgcrypt 1.5.0 > 1.5.3 for openSUSE 12.2 and 12.3:
https://build.opensuse.org/request/show/184382
Comment 5 Bernhard Wiedemann 2013-07-26 10:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (831359) was mentioned in
https://build.opensuse.org/request/show/184399 Factory / libgcrypt
Comment 6 Andreas Stieger 2013-07-26 22:07:03 UTC 
This is CVE-2013-4242
Comment 10 Swamp Workflow Management 2013-07-30 08:29:58 UTC 
The SWAMPID for this issue is 53821.
This issue was rated as moderate.
Please submit fixed packages until 2013-08-13.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Bernhard Wiedemann 2013-08-02 13:00:52 UTC 
This is an autogenerated message for OBS integration:
This bug (831359) was mentioned in
https://build.opensuse.org/request/show/185601 Maintenance /
Comment 12 Swamp Workflow Management 2013-08-05 09:04:25 UTC 
openSUSE-SU-2013:1294-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 810759,831359
CVE References: 
Sources used:
openSUSE 12.3 (src):    libgcrypt-1.5.3-12.4.1
openSUSE 12.2 (src):    libgcrypt-1.5.3-9.5.1
Comment 13 Marcus Meissner 2013-08-05 13:37:02 UTC 
libgcrypt for SLE is missing.
Comment 14 Swamp Workflow Management 2013-08-06 13:04:38 UTC 
openSUSE-RU-2013:1302-1: An update that has two recommended fixes can now be installed.

Category: recommended (low)
Bug References: 810759,831359
CVE References: 
Sources used:
openSUSE 11.4 (src):    libgcrypt-1.5.3-6.1
Comment 15 Swamp Workflow Management 2013-08-07 08:05:46 UTC 
Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 16 Swamp Workflow Management 2013-08-07 08:06:08 UTC 
Update released for: gpg
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 17 Michal Vyskocil 2013-08-07 08:30:50 UTC 
(In reply to comment #13)
> libgcrypt for SLE is missing.

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=e2202ff2b704623efc6277fb5256e4e15bac5676
Comment 21 Michal Vyskocil 2013-08-07 09:25:57 UTC 
(In reply to comment #19)
done for all projects
Comment 23 Swamp Workflow Management 2013-08-16 14:04:49 UTC 
Update released for: libgcrypt, libgcrypt-32bit, libgcrypt-debuginfo, libgcrypt-devel, libgcrypt-devel-32bit
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2013-08-16 14:05:14 UTC 
Update released for: libgcrypt
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 25 Swamp Workflow Management 2013-08-16 14:05:29 UTC 
Update released for: libgcrypt, libgcrypt-debuginfo, libgcrypt-debugsource, libgcrypt-devel, libgcrypt-devel-32bit, libgcrypt11, libgcrypt11-32bit
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 26 Swamp Workflow Management 2013-08-16 15:55:32 UTC 
Update released for: libgcrypt, libgcrypt-debuginfo, libgcrypt-debugsource, libgcrypt-devel, libgcrypt-devel-32bit, libgcrypt11, libgcrypt11-32bit, libgcrypt11-x86
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 27 Swamp Workflow Management 2013-08-16 16:01:57 UTC 
Update released for: libgcrypt, libgcrypt-debuginfo, libgcrypt-debugsource, libgcrypt-devel, libgcrypt-devel-32bit, libgcrypt11, libgcrypt11-32bit, libgcrypt11-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 28 Matthias Weckbecker 2013-08-19 09:05:10 UTC 
released
Comment 29 Matthias Weckbecker 2013-08-19 09:18:01 UTC 
released
Comment 30 Bernhard Wiedemann 2013-08-23 15:00:28 UTC 
This is an autogenerated message for OBS integration:
This bug (831359) was mentioned in
https://build.opensuse.org/request/show/196127 Evergreen:11.2 / libgcrypt
Comment 31 Bernhard Wiedemann 2013-08-30 06:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (831359) was mentioned in
https://build.opensuse.org/request/show/196849 Evergreen:11.2 / libgcrypt
Comment 32 Swamp Workflow Management 2013-10-25 15:47:08 UTC 
Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 33 Swamp Workflow Management 2013-10-25 15:48:09 UTC 
Update released for: gpg, gpg-debuginfo
Products:
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)
Comment 34 Swamp Workflow Management 2014-04-10 15:40:33 UTC 
The SWAMPID for this issue is 56982.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-24.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 35 Swamp Workflow Management 2014-05-22 19:56:22 UTC 
Update released for: libgcrypt, libgcrypt-debuginfo, libgcrypt-debugsource, libgcrypt-devel, libgcrypt-devel-32bit, libgcrypt11, libgcrypt11-32bit, libgcrypt11-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 36 Swamp Workflow Management 2014-05-22 23:04:54 UTC 
SUSE-SU-2014:0704-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 831359
CVE References: CVE-2013-4242
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    libgcrypt-1.4.1-6.10.1
Comment 37 Leonardo Chiquitto 2014-06-11 12:46:47 UTC 
*** Bug 876580 has been marked as a duplicate of this bug. ***