Debian Bug report logs -
#873383
libgcrypt20: CVE-2017-0379: side-channel attack on Curve25519
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 27 Aug 2017 09:51:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions libgcrypt20/1.8.0-1, libgcrypt20/1.7.1-1
Fixed in versions libgcrypt20/1.8.1-1, libgcrypt20/1.7.9-1, libgcrypt20/1.7.6-2+deb9u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#873383; Package src:libgcrypt20.
(Sun, 27 Aug 2017 09:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>.
(Sun, 27 Aug 2017 09:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgcrypt20
Version: 1.7.1-1
Severity: grave
Tags: upstream patch security fixed-upstream
Hi,
the following vulnerability was published for libgcrypt20.
CVE-2017-0379[0]:
side-channel attack on Curve25519
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-0379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379
[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=da780c8183cccc8f533c8ace8211ac2cb2bdee7b
Regards,
Salvatore
Reply sent
to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(Sun, 27 Aug 2017 10:57:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 27 Aug 2017 10:57:08 GMT) (full text, mbox, link).
Message #10 received at 873383-close@bugs.debian.org (full text, mbox, reply):
Source: libgcrypt20
Source-Version: 1.7.9-1
We believe that the bug you reported is fixed in the latest version of
libgcrypt20, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873383@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated libgcrypt20 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 Aug 2017 11:56:17 +0200
Source: libgcrypt20
Binary: libgcrypt20-doc libgcrypt20-dev libgcrypt20 libgcrypt20-udeb libgcrypt11-dev libgcrypt-mingw-w64-dev
Architecture: source
Version: 1.7.9-1
Distribution: unstable
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 873383
Description:
libgcrypt11-dev - transitional libgcrypt11-dev package
libgcrypt20-dev - LGPL Crypto library - development files
libgcrypt20-doc - LGPL Crypto library - documentation
libgcrypt20 - LGPL Crypto library - runtime library
libgcrypt20-udeb - LGPL Crypto library - runtime library (udeb)
libgcrypt-mingw-w64-dev - LGPL Crypto library - Windows development
Changes:
libgcrypt20 (1.7.9-1) unstable; urgency=high
.
* New upstream version, mitigates a local side-channel attack on Curve25519
dubbed "May the Fourth be With You". [CVE-2017-0379] Closes: #873383
+ Drop 30_mpi-Fix-mpi_set_secure.patch
Checksums-Sha1:
a9fb596aa341d031f137ceeb3a6f31e2b582bc4d 2914 libgcrypt20_1.7.9-1.dsc
04126cdca54074d8768dea4287493a5b338a9a98 2897137 libgcrypt20_1.7.9.orig.tar.bz2
ec6cd788d04aec601a953b26eb8321aa2d144253 310 libgcrypt20_1.7.9.orig.tar.bz2.asc
2f26728ba8895647696ac87ad4102c6980f42f76 26020 libgcrypt20_1.7.9-1.debian.tar.xz
Checksums-Sha256:
d922d12b25a64cd25601b34380bed9c9ca3c8fd4c9625951641fcc8766c7796d 2914 libgcrypt20_1.7.9-1.dsc
bfe9bb703c1126c3647da2810fd23039c2f09d46969f71612c2065dc3fa9373b 2897137 libgcrypt20_1.7.9.orig.tar.bz2
96108d1701cd3c8a6826d7d2a27056de79421fe20bf9ef447e8c12e982f64414 310 libgcrypt20_1.7.9.orig.tar.bz2.asc
1a0775f8e8921aa537db92c06cca82780cb24adf04775e2f944a23d867414d55 26020 libgcrypt20_1.7.9-1.debian.tar.xz
Files:
6fb53ee561e080cd20c74e85fd2956aa 2914 libs optional libgcrypt20_1.7.9-1.dsc
439432d08fa5aa826752589ea1b69efc 2897137 libs optional libgcrypt20_1.7.9.orig.tar.bz2
62b5984d10ce92111cca0bc41cfd6ad3 310 libs optional libgcrypt20_1.7.9.orig.tar.bz2.asc
b69a1c475593a087699f97d2ab437628 26020 libs optional libgcrypt20_1.7.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlmioX4ACgkQpU8BhUOC
FIQNyg//YlalRpHjPjCqVjrAvFvzSu0+Mxf+w8Tz2d0sOcUnR696XcugeDAyvaj3
/bcuFuZzGmtyli0wLIxjVVLIWb8WCCTVcI268anAYJlBofNKKDbwvvBRm+gCNNcq
JKNIOVMd595QbIPHnt1mM71QxjLjM1lPMRunvAEafReFpFz3EtLQ9nGwhbeqET38
hkrgmguGAc6pQchaJw26FA/6ZjN4ANI75n6YtX0rCq3gVxOFMiI+aYLgQG44R8TS
paaF3IbLS2lpZCR/o1xMNIrTPA7TuMJ4fo9utmfcSqgxDfrlga8316SugQLEY3sG
MFkwjEdF3yRZ6d7gBG6ec75JJWQENiZVCQurdVWEKmolwmSK1UX71wESdLuSxmij
WwBJLDY20dFWtk+2GIgmDHdJwqbr4DpOpwkSQfifzhjlD3i65XisYCiNWNiizQe/
UWPKRrXq7qIhbtm5uyRZvc+ddMJHFukaSZUm2ZZdkRlvz9PDpqxo5FLF7JJElPWi
aPZp6IGhi369a6XJMX95sKM4B1BmVPuVexslD/xIjYoeXtEyW+gIhq3aY0BL7thU
PWpx1l025wYZAY47sue8T4K5cRZiDTE7hVOm8//kgeDJx0JbMlipn5cAL/+53t2O
rUBdgdHlzujkpqGMgF7SwbPa77b2jvtAv0x4BEmIO41/Wc1UIkE=
=I4mP
-----END PGP SIGNATURE-----
Reply sent
to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(Sun, 27 Aug 2017 11:51:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 27 Aug 2017 11:51:13 GMT) (full text, mbox, link).
Message #15 received at 873383-close@bugs.debian.org (full text, mbox, reply):
Source: libgcrypt20
Source-Version: 1.8.1-1
We believe that the bug you reported is fixed in the latest version of
libgcrypt20, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873383@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated libgcrypt20 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 Aug 2017 13:13:01 +0200
Source: libgcrypt20
Binary: libgcrypt20-doc libgcrypt20-dev libgcrypt20 libgcrypt20-udeb libgcrypt11-dev libgcrypt-mingw-w64-dev
Architecture: source
Version: 1.8.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 873297 873383
Description:
libgcrypt11-dev - transitional libgcrypt11-dev package
libgcrypt20-dev - LGPL Crypto library - development files
libgcrypt20-doc - LGPL Crypto library - documentation
libgcrypt20 - LGPL Crypto library - runtime library
libgcrypt20-udeb - LGPL Crypto library - runtime library (udeb)
libgcrypt-mingw-w64-dev - LGPL Crypto library - Windows development
Changes:
libgcrypt20 (1.8.1-1) experimental; urgency=medium
.
* New upstream version.
+ Mitigates a local side-channel attack on Curve25519 dubbed "May the
Fourth be With You". [CVE-2017-0379] Closes: #873383
+ Add the OID SHA384WithECDSA from RFC-7427 to SHA-384. Closes: 873297
* Use @ARCHIVE_EXT@ in watchfile instead of hardcoding bz2.
Checksums-Sha1:
a0b7bf430034ee0f69f280db9530b3e8ae51344d 2914 libgcrypt20_1.8.1-1.dsc
dd35f00da45602afe81e01f4d60c40bbdd826fe6 2967344 libgcrypt20_1.8.1.orig.tar.bz2
e8af8fc95cab49aeff13e1ef450603785c22f1b1 310 libgcrypt20_1.8.1.orig.tar.bz2.asc
3618938fe1ec3e398c2b139d72889fde572db2f7 27220 libgcrypt20_1.8.1-1.debian.tar.xz
Checksums-Sha256:
5e4c0be1f9cb7b94476ee6198d8d03d4cc30b0af658af865b9b1ab9bc556234f 2914 libgcrypt20_1.8.1-1.dsc
7a2875f8b1ae0301732e878c0cca2c9664ff09ef71408f085c50e332656a78b3 2967344 libgcrypt20_1.8.1.orig.tar.bz2
9e08f467824855084594a14c4a0455963dac9a359d543e8c2a91ca3498ad031b 310 libgcrypt20_1.8.1.orig.tar.bz2.asc
0b26c83d902a3cc624ea743ae2cd2a08a6cd2b433d6c424497058afef3a49a15 27220 libgcrypt20_1.8.1-1.debian.tar.xz
Files:
c343f9d2a71cc76f24baec1738342680 2914 libs optional libgcrypt20_1.8.1-1.dsc
b21817f9d850064d2177285f1073ec55 2967344 libs optional libgcrypt20_1.8.1.orig.tar.bz2
7da7be1dae72e715e5b5fd10373d6155 310 libs optional libgcrypt20_1.8.1.orig.tar.bz2.asc
d2224f0e5320131120d0c55e2c844129 27220 libs optional libgcrypt20_1.8.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlmirHUACgkQpU8BhUOC
FITnRg//RQRg3fYdwnvjxPtDIRtjXyln7tWvaJljjwOagYCsMTFv8lzNJg3+sZGx
Gg1PyLeNYvB0qeefuu/B8vCufQQz6xDfUrSmD25p7EwXcubzetUlHBBtxlwMrNr4
cg6U03jE64DM238o27kyn56z064tO9Fo1nmF9OXijUZx1ugmYEvMT1gR0G49YKZ3
y3Blth/wJLLddMmsHRRcKGDpWOI4wlJ+77T1Yx5pbrDDygIzBugFT9G9Wr0Dr+C+
XHXTDmHlRDC11Cg9UaS7h7Fur8mZMsWLV+4mv6ySCMXpe1mZYU6GUhmR5D7ngm4g
+qH+nL39IL1xvF8VAPPIflbwGVe9AximGFU/sPOoqB8Hk/wXMjV2nhU2+KrrBnlS
jMsdP8EqTSW+YqCLqIzLnDKpL/EnLPzKg+DX0Ij7WSQLM6Clrbd4gPCostgG9M4A
S9+os+FaKC8TXdnH1nOS+Fdgm4T9s6G+8PmRv+cCOrbRMFT2OaSLwSHInD7QQeeT
zKlltRs0SDezuwb6wNlUb/xp0BPfw+giE9AKoTDPrjdLpiRQjiPnckwnc+K+TJw1
kM4FN5WaJA3Xf1qHp529DxN7fWhrTu1sDJQtXRbBIZ3sVzzz2M+m0nnQX6R70iQ/
qUJKDVIgONZnjCo72d6tMW9erLIDhxOI9bNlfXyz7jMzScx3/as=
=RKmY
-----END PGP SIGNATURE-----
Marked as found in versions libgcrypt20/1.8.0-1.
Request was from Andreas Metzler <ametzler@debian.org>
to control@bugs.debian.org.
(Sun, 27 Aug 2017 12:06:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 07 Sep 2017 21:21:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 07 Sep 2017 21:21:06 GMT) (full text, mbox, link).
Message #22 received at 873383-close@bugs.debian.org (full text, mbox, reply):
Source: libgcrypt20
Source-Version: 1.7.6-2+deb9u2
We believe that the bug you reported is fixed in the latest version of
libgcrypt20, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873383@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libgcrypt20 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 Aug 2017 11:58:04 +0200
Source: libgcrypt20
Binary: libgcrypt20-doc libgcrypt20-dev libgcrypt20 libgcrypt20-udeb libgcrypt11-dev libgcrypt-mingw-w64-dev
Architecture: source
Version: 1.7.6-2+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 873383
Description:
libgcrypt-mingw-w64-dev - LGPL Crypto library - Windows development
libgcrypt11-dev - transitional libgcrypt11-dev package
libgcrypt20 - LGPL Crypto library - runtime library
libgcrypt20-dev - LGPL Crypto library - development files
libgcrypt20-doc - LGPL Crypto library - documentation
libgcrypt20-udeb - LGPL Crypto library - runtime library (udeb)
Changes:
libgcrypt20 (1.7.6-2+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* ecc: Add input validation for X25519 [CVE-2017-0379]
Mitigate a local side-channel attack on Curve25519 dubbed "May the
Fourth be With You". (Closes: #873383)
Checksums-Sha1:
d0c8b9cd9ab574e5a39e6f7ca9fee8b1c1c85e2b 2838 libgcrypt20_1.7.6-2+deb9u2.dsc
62df79e2ba8557dff4ca265478189cd39528e2c5 32044 libgcrypt20_1.7.6-2+deb9u2.debian.tar.xz
Checksums-Sha256:
ece58728d3b18510e0f0a699b5207c393f67e96e0e9cb3191eeb831f2b7d61c1 2838 libgcrypt20_1.7.6-2+deb9u2.dsc
190182723dd39b256cb03e0b74ad9c2047943fe53584c7794b2cec080d5e33e6 32044 libgcrypt20_1.7.6-2+deb9u2.debian.tar.xz
Files:
90a6437e47b9932872c8fb19f9cd8b05 2838 libs optional libgcrypt20_1.7.6-2+deb9u2.dsc
cb7b252278ec7bd5da6405bfdd68561f 32044 libs optional libgcrypt20_1.7.6-2+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmimlxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENswP/3ALtCFYu828QeOammzuUy6Gb/qbiL6D
DWPtvl5bio159b2jj721X6B3sOesxyDCwI8LRBwXG6i6y78YSdt/Z5xLwyXVIWHD
FgTKlwJkjUIjKFMVk63tR+dlN8Z+D4+pqdWYNLjvl0+r9y9peNaekKV8mhvHoSPV
UVKSDdhAYdZg5+PezIKpdpLCk7zUS41M3B+Okvrt+vhanTB3loIKiqlmQOS5G00V
8x+5o+aWRsC4OOoet4d5uvGTAc9np8T7w/oWine1laBIb1bCggCUfFET6SjtSBAs
KtO9+UbaMzyXOZuf9e+loxf2kc4slRhf1kwEped03c2Mewk9pLqoRXKmag9zB9v2
cALAvv74ZaDx4wyhJnkwkN0eXwyS6YCjik6GgFLK6c6EHkv/WUuZ9T+v4wfAVfgh
G0yjXS0f+PzstN14nJgVrwDNTjl8awa206bu4cAf2R9yaGTBNhXUNh44uYjtVZ9W
HMZ5V8WiwQ4NyI+PehNTQW9ZgnlqFAdF5kM658bJebnAk05w/Z1CZNFSWuLj4HTh
iUGgAUJrCnle1THNq9qG3qEIMudj8SZWE1o0x3Q7XNXxACuwoswCtpxtPeSHS5fI
JD/yK5eM4NoqAFvWo2WL/VKjkMuFUDCQcnxETo+CR8EiP+T/khf6z/xsUL2UIlIa
AhIUB5SmO/xK
=+KZi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Oct 2017 07:32:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:26:07 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon