CVE-2017-9526

Published: 10 June 2017

In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
libgcrypt11
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1.5.3-2ubuntu4.4)
libgcrypt20
Launchpad, Ubuntu, Debian
Upstream
Released (1.7.6-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.7.6-2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.6.5-2ubuntu0.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=91456759b887e153c4d4ce19538d478df260cab2