CVE-2017-7526

libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Fixed 1.4.20-1ubuntu3.3
	14.04 LTS trusty	Fixed 1.4.16-1ubuntu2.6
gnupg1	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
libgcrypt11	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Fixed 1.5.3-2ubuntu4.5
libgcrypt20	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Fixed 1.7.6-1ubuntu0.1
	16.10 yakkety	Fixed 1.7.2-2ubuntu1.1
	16.04 LTS xenial	Fixed 1.6.5-2ubuntu0.3
	14.04 LTS trusty	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg	Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=b38f4489f75e6e435886aa885807738a22c7ff60 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=12029f83fd0ab3e8ad524f6c9135854662fddfd1 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=554ded4854758bf6ca268432fa087f946932a409 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fd9f72e1b2e578e45c98c978cab4f6d47683d2c Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=994d5b707559a800a650dc7f273372f509d74780
libgcrypt20	Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fbd10abc057453789017f11c7f1fc8e6c61b79a3 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=0e6788517eac6f508fa32ec5d5c1cada7fb980bc Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=a9f612def801c8145d551d995475e5d51a4c988c Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=aff5fd0f2650e24cf99efcd7b499627ea48782c3 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=312101e1f266314b4391fcdbe11c03de5c147e38

Package

Patch details

gnupg

libgcrypt20

Severity score breakdown

Parameter	Value
Base score	6.8 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Changed
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-3733-1
GnuPG vulnerability
7 August 2018

USN-3733-2
GnuPG vulnerability
15 August 2018

USN-3347-2
Libgcrypt vulnerability
17 July 2017

USN-3347-1
Libgcrypt vulnerabilities
3 July 2017

Cvss 3 Severity Score

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references