GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Aug 29, 2014 11:26 am Post subject: [ GLSA 201408-10 ] Libgcrypt: Side-channel attack |
|
|
Gentoo Linux Security Advisory
Title: Libgcrypt: Side-channel attack (GLSA 201408-10)
Severity: normal
Exploitable: remote
Date: August 29, 2014
Bug(s): #519396
ID: 201408-10
Synopsis
A vulnerability in Libgcrypt could allow a remote attacker to
extract ElGamal private key information.
Background
Libgcrypt is a general purpose cryptographic library derived out of
GnuPG.
Affected Packages
Package: dev-libs/libgcrypt
Vulnerable: < 1.5.4
Unaffected: >= 1.5.4
Architectures: All supported architectures
Description
A vulnerability in the implementation of ElGamal decryption procedures
of Libgcrypt leaks information to various side-channels.
Impact
A physical side-channel attack allows a remote attacker to fully extract
decryption keys during the decryption of a chosen ciphertext.
Workaround
There is no known workaround at this time.
Resolution
All Libgcrypt users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.5.4"
|
References
CVE-2014-5270 |
|