CVE-2017-7526

Published: 29 June 2017

libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.

Priority

CVSS 3 base score: 6.8

Status

Package	Release	Status
gnupg Launchpad, Ubuntu, Debian	Upstream	Needs triage



	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (1.4.20-1ubuntu3.3)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (1.4.16-1ubuntu2.6)
	Patches: upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=b38f4489f75e6e435886aa885807738a22c7ff60 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=12029f83fd0ab3e8ad524f6c9135854662fddfd1 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=554ded4854758bf6ca268432fa087f946932a409 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fd9f72e1b2e578e45c98c978cab4f6d47683d2c upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=994d5b707559a800a650dc7f273372f509d74780
gnupg1 Launchpad, Ubuntu, Debian	Upstream	Needs triage



	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
libgcrypt11 Launchpad, Ubuntu, Debian	Upstream	Needs triage



	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (1.5.3-2ubuntu4.5)
libgcrypt20 Launchpad, Ubuntu, Debian	Upstream	Released (1.7.8-1)



	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (1.7.8-1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (1.6.5-2ubuntu0.3)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was needed)
	Patches: Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fbd10abc057453789017f11c7f1fc8e6c61b79a3 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=0e6788517eac6f508fa32ec5d5c1cada7fb980bc Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=a9f612def801c8145d551d995475e5d51a4c988c Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=aff5fd0f2650e24cf99efcd7b499627ea48782c3 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=312101e1f266314b4391fcdbe11c03de5c147e38

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1785176

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM