Opened 6 years ago

Closed 6 years ago

#10868 closed enhancement (fixed)

libgcrypt 1.8.3 (CVE-2018-0495)

Reported by: Pierre Labastie Owned by: ken@…
Priority: high Milestone: 8.3
Component: BOOK Version: SVN
Severity: normal Keywords:


New point release. Security fix:

Noteworthy changes in version 1.8.3

   - Use blinding for ECDSA signing to mitigate a novel side-channel
     attack.  [#4011,CVE-2018-0495]

   - Fix incorrect counter overflow handling for GCM when using an IV
     size other than 96 bit.  [#3764]

   - Fix incorrect output of AES-keywrap mode for in-place encryption
     on some platforms.

   - Fix the gcry_mpi_ec_curve_point point validation function.

   - Fix rare assertion failure in gcry_prime_check.

Details of the security threat at

According to the announcement, although gnupg is a user of libgcrypt, it does not use the ECDSA code, and hence is not subject to the side channel attack.

Change History (2)

comment:1 by ken@…, 6 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by ken@…, 6 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.