[gentoo-announce] [ GLSA 201402-24 ] GnuPG, Libgcrypt: Multiple vulnerabilities - gentoo-announce

From:	Chris Reffett <creffett@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201402-24 ] GnuPG, Libgcrypt: Multiple vulnerabilities
Date:	Fri, 21 Feb 2014 16:14:42
Message-Id:	`5307797B.7050706@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201402-24

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: GnuPG, Libgcrypt: Multiple vulnerabilities

9

     Date: February 21, 2014

10

     Bugs: #449546, #478184, #484836, #487230, #494658

11

       ID: 201402-24

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt,

19

which may result in execution of arbitrary code, Denial of Service, or

20

the disclosure of private keys.

21

22

Background

23

==========

24

25

The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite

26

of cryptographic software. Libgcrypt is a cryptographic library based

27

on GnuPG.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package              /     Vulnerable     /            Unaffected

34

    -------------------------------------------------------------------

35

  1  app-crypt/gnupg              < 2.0.22                 *>= 1.4.16

36

                                                            >= 2.0.22

37

  2  dev-libs/libgcrypt           < 1.5.3                    >= 1.5.3

38

    -------------------------------------------------------------------

39

     2 affected packages

40

41

Description

42

===========

43

44

Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt.

45

Please review the CVE identifiers referenced below for details.

46

47

Impact

48

======

49

50

An unauthenticated remote attacker may be able to execute arbitrary

51

code with the privileges of the user running GnuPG, cause a Denial of

52

Service condition, or bypass security restrictions. Additionally, a

53

side-channel attack may allow a local attacker to recover a private

54

key, please review "Flush+Reload: a High Resolution, Low Noise, L3

55

Cache Side-Channel Attack" in the References section for further

56

details.

57

58

Workaround

59

==========

60

61

There is no known workaround at this time.

62

63

Resolution

64

==========

65

66

All GnuPG 2.0 users should upgrade to the latest version:

67

68

  # emerge --sync

69

  # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.22"

70

71

All GnuPG 1.4 users should upgrade to the latest version:

72

73

  # emerge --sync

74

  # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.16"

75

76

All Libgcrypt users should upgrade to the latest version:

77

78

  # emerge --sync

79

  # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.5.3"

80

81

References

82

==========

83

84

[ 1 ] CVE-2012-6085

85

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6085

86

[ 2 ] CVE-2013-4242

87

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4242

88

[ 3 ] CVE-2013-4351

89

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4351

90

[ 4 ] CVE-2013-4402

91

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4402

92

[ 5 ] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel

93

      Attack

94

      http://eprint.iacr.org/2013/448

95

96

Availability

97

============

98

99

This GLSA and any updates to it are available for viewing at

100

the Gentoo Security Website:

101

102

 http://security.gentoo.org/glsa/glsa-201402-24.xml

103

104

Concerns?

105

=========

106

107

Security is a primary focus of Gentoo Linux and ensuring the

108

confidentiality and security of our users' machines is of utmost

109

importance to us. Any security concerns should be addressed to

110

security@g.o or alternatively, you may file a bug at

111

https://bugs.gentoo.org.

112

113

License

114

=======

115

116

Copyright 2014 Gentoo Foundation, Inc; referenced text

117

belongs to its owner(s).

118

119

The contents of this document are licensed under the

120

Creative Commons - Attribution / Share Alike license.

121

122

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201402-24
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: GnuPG, Libgcrypt: Multiple vulnerabilities
9	Date: February 21, 2014
10	Bugs: #449546, #478184, #484836, #487230, #494658
11	ID: 201402-24
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt,
19	which may result in execution of arbitrary code, Denial of Service, or
20	the disclosure of private keys.
21
22	Background
23	==========
24
25	The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite
26	of cryptographic software. Libgcrypt is a cryptographic library based
27	on GnuPG.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 app-crypt/gnupg < 2.0.22 *>= 1.4.16
36	>= 2.0.22
37	2 dev-libs/libgcrypt < 1.5.3 >= 1.5.3
38	-------------------------------------------------------------------
39	2 affected packages
40
41	Description
42	===========
43
44	Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt.
45	Please review the CVE identifiers referenced below for details.
46
47	Impact
48	======
49
50	An unauthenticated remote attacker may be able to execute arbitrary
51	code with the privileges of the user running GnuPG, cause a Denial of
52	Service condition, or bypass security restrictions. Additionally, a
53	side-channel attack may allow a local attacker to recover a private
54	key, please review "Flush+Reload: a High Resolution, Low Noise, L3
55	Cache Side-Channel Attack" in the References section for further
56	details.
57
58	Workaround
59	==========
60
61	There is no known workaround at this time.
62
63	Resolution
64	==========
65
66	All GnuPG 2.0 users should upgrade to the latest version:
67
68	# emerge --sync
69	# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.22"
70
71	All GnuPG 1.4 users should upgrade to the latest version:
72
73	# emerge --sync
74	# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.16"
75
76	All Libgcrypt users should upgrade to the latest version:
77
78	# emerge --sync
79	# emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.5.3"
80
81	References
82	==========
83
84	[ 1 ] CVE-2012-6085
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6085
86	[ 2 ] CVE-2013-4242
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4242
88	[ 3 ] CVE-2013-4351
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4351
90	[ 4 ] CVE-2013-4402
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4402
92	[ 5 ] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
93	Attack
94	http://eprint.iacr.org/2013/448
95
96	Availability
97	============
98
99	This GLSA and any updates to it are available for viewing at
100	the Gentoo Security Website:
101
102	http://security.gentoo.org/glsa/glsa-201402-24.xml
103
104	Concerns?
105	=========
106
107	Security is a primary focus of Gentoo Linux and ensuring the
108	confidentiality and security of our users' machines is of utmost
109	importance to us. Any security concerns should be addressed to
110	security@g.o or alternatively, you may file a bug at
111	https://bugs.gentoo.org.
112
113	License
114	=======
115
116	Copyright 2014 Gentoo Foundation, Inc; referenced text
117	belongs to its owner(s).
118
119	The contents of this document are licensed under the
120	Creative Commons - Attribution / Share Alike license.
121
122	http://creativecommons.org/licenses/by-sa/2.5