Opened 3 years ago

Closed 3 years ago

#10868 closed enhancement (fixed)

libgcrypt 1.8.3 (CVE-2018-0495)

Reported by: Pierre Labastie Owned by: ken@…
Priority: high Milestone: 8.3
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point release. Security fix:

Noteworthy changes in version 1.8.3
===================================

   - Use blinding for ECDSA signing to mitigate a novel side-channel
     attack.  [#4011,CVE-2018-0495]

   - Fix incorrect counter overflow handling for GCM when using an IV
     size other than 96 bit.  [#3764]

   - Fix incorrect output of AES-keywrap mode for in-place encryption
     on some platforms.

   - Fix the gcry_mpi_ec_curve_point point validation function.

   - Fix rare assertion failure in gcry_prime_check.

Details of the security threat at https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

According to the announcement, although gnupg is a user of libgcrypt, it does not use the ECDSA code, and hence is not subject to the side channel attack.

Change History (2)

comment:1 by ken@…, 3 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by ken@…, 3 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.