CVE-2017-7526

Published: 29 June 2017

libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.

Priority

CVSS 3 base score: 6.8

Status

Package	Release	Status
gnupg Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	precise	Released (1.4.11-3ubuntu2.12)
	trusty	Released (1.4.16-1ubuntu2.6)
	upstream	Needs triage
	xenial	Released (1.4.20-1ubuntu3.3)
	Patches: upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=b38f4489f75e6e435886aa885807738a22c7ff60 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=12029f83fd0ab3e8ad524f6c9135854662fddfd1 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=554ded4854758bf6ca268432fa087f946932a409 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fd9f72e1b2e578e45c98c978cab4f6d47683d2c upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=994d5b707559a800a650dc7f273372f509d74780
gnupg1 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	cosmic	Not vulnerable
	disco	Not vulnerable
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
libgcrypt11 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	precise	Released (1.5.0-3ubuntu0.7)
	trusty	Released (1.5.3-2ubuntu4.5)
	upstream	Needs triage
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
libgcrypt20 Launchpad, Ubuntu, Debian	artful	Not vulnerable (1.7.8-1)
	bionic	Not vulnerable (1.7.8-1)
	cosmic	Not vulnerable (1.7.8-1)
	disco	Not vulnerable (1.7.8-1)
	precise	Does not exist
	trusty	Does not exist (trusty was needed)
	upstream	Released (1.7.8-1)
	xenial	Released (1.6.5-2ubuntu0.3)
	yakkety	Released (1.7.2-2ubuntu1.1)
	zesty	Released (1.7.6-1ubuntu0.1)
	Patches: upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fbd10abc057453789017f11c7f1fc8e6c61b79a3 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=0e6788517eac6f508fa32ec5d5c1cada7fb980bc upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=a9f612def801c8145d551d995475e5d51a4c988c upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=aff5fd0f2650e24cf99efcd7b499627ea48782c3 upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=312101e1f266314b4391fcdbe11c03de5c147e38

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1785176

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security