Bugzilla – Bug 892464
VUL-0: CVE-2014-5270: libgcrypt: side-channel attack on Elgamal encryption subkeys
Last modified: 2016-11-29 14:01:36 UTC
Via gnupg-announce mailinglist: Werner Koch wk at gnupg.org Fri Aug 8 12:17:06 CEST 2014 Hi! While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed to describe [2] a software combination which has not been fixed and is thus vulnerable to the attack described by the paper. If you are using a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to mount the described side-channel attack on Elgamal encryption subkeys. To check whether you are using a vulnerable Libgcrypt version, enter gpg2 --version on the command line; the second line of the output gives the Libgcrypt version: gpg (GnuPG) 2.0.25 libgcrypt 1.5.3 In this example Libgcrypt is vulnerable. If you see 1.6.0 or 1.6.1 you are fine. GnuPG versions since 1.4.16 are not affected because they do not use Libgcrypt. The recommendation is to update any Libgcrypt version below 1.6.0 to at least the latest version from the 1.5 series which is 1.5.4. Updating to 1.6.1 is also possible but that requires to rebuild GnuPG. Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I include the download instructions below. A CVE-id has not yet been assigned. Many thanks to Daniel Genkin for pointing out this problem. Shalom-Salam, Werner [1] http://www.cs.tau.ac.il/~tromer/handsoff [2] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000349.html [3] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html CVE-2014-5270 was assigned to this isse. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270 http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5270.html
Everything except of SLE-12 is affected. Please submit fixes. SLE-12 libgcrypt-1.6.1 SLE-11-SP3 libgcrypt-1.5.0 SLE-11-SP1-TD libgcrypt-1.4.1 SLE-10-SP3-TD libgcrypt-1.2.2 openSUSE:13.1 libgcrypt-1.5.3 openSUSE:12.3 libgcrypt-1.5.0
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-09-02. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58619
Affected packages: SLE-10-SP3-TERADATA: libgcrypt SLE-11-SP1: libgcrypt SLE-11-SP3: libgcrypt
This is an autogenerated message for OBS integration: This bug (892464) was mentioned in https://build.opensuse.org/request/show/245158 13.1+12.3 / libgcrypt
Packages submitted, back to security-team.
bugbot adjusting priority
rewleased
SUSE-SU-2014:1077-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 892464 CVE References: CVE-2014-5270 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libgcrypt-1.5.0-0.17.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): libgcrypt-1.5.0-0.17.1 SUSE Linux Enterprise Server 11 SP3 (src): libgcrypt-1.5.0-0.17.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libgcrypt-1.5.0-0.17.1