Your submission was sent successfully! Close

CVE-2019-12904

Published: 20 June 2019

** DISPUTED ** In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack.

Notes

AuthorNote
mdeslaur
see:
https://lists.gnupg.org/pipermail/gcrypt-devel/2019-July/004760.html
Upstream developers have disputed this issue, so marking as
not-affected
Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
libgcrypt11
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Does not exist

libgcrypt20
Launchpad, Ubuntu, Debian
bionic Not vulnerable

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable

groovy Not vulnerable

hirsute Not vulnerable

impish Not vulnerable

jammy Not vulnerable

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
upstream: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762