GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Feb 21, 2014 8:26 pm Post subject: [ GLSA 201402-24 ] GnuPG, Libgcrypt: Multiple vulnerabilitie |
|
|
Gentoo Linux Security Advisory
Title: GnuPG, Libgcrypt: Multiple vulnerabilities (GLSA 201402-24)
Severity: normal
Exploitable: local, remote
Date: February 21, 2014
Updated: July 07, 2014
Bug(s): #449546, #478184, #484836, #487230, #494658
ID: 201402-24
Synopsis
Multiple vulnerabilities have been discovered in GnuPG and
Libgcrypt, which may result in execution of arbitrary code, Denial of
Service, or the disclosure of private keys.
Background
The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of
cryptographic software. Libgcrypt is a cryptographic library based on
GnuPG.
Affected Packages
Package: app-crypt/gnupg
Vulnerable: < 2.0.22
Unaffected: >= 2.0.22
Unaffected: >= 1.4.16 < 1.4.17
Unaffected: >= 1.4.17 < 1.4.18
Unaffected: >= 1.4.18 < 1.4.19
Unaffected: >= 1.4.19 < 1.4.20
Unaffected: >= 1.4.20 < 1.4.21
Architectures: All supported architectures
Package: dev-libs/libgcrypt
Vulnerable: < 1.5.3
Unaffected: >= 1.5.3
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt.
Please review the CVE identifiers referenced below for details.
Impact
An unauthenticated remote attacker may be able to execute arbitrary code
with the privileges of the user running GnuPG, cause a Denial of Service
condition, or bypass security restrictions. Additionally, a side-channel
attack may allow a local attacker to recover a private key, please review
“Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack” in the References section for further details.
Workaround
There is no known workaround at this time.
Resolution
All GnuPG 2.0 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.22"
| All GnuPG 1.4 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.16"
| All Libgcrypt users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.5.3"
|
References
CVE-2012-6085
CVE-2013-4242
CVE-2013-4351
CVE-2013-4402
Flush+Reload: a High
Resolution, Low Noise, L3 Cache Side-Channel Attack
Last edited by GLSA on Tue Jul 08, 2014 4:31 am; edited 1 time in total |
|