CVE-2019-12904
Published: 20 June 2019
** DISPUTED ** In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack.
Priority
Low
CVSS 3 base score: 5.9
Status
| Package | Release | Status |
|---|---|---|
|
libgcrypt11 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(code not present)
|
|
|
libgcrypt20 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Deferred
(2020-01-06)
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Deferred
(2020-01-06)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Deferred
(2020-01-06)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Deferred
(2020-01-06)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(code not present)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 Upstream: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 |
||
Notes
| Author | Note |
|---|---|
| mdeslaur | as of 2020-01-06, upstream developers haven't determined if this is an actual issue or not yet, see: https://lists.gnupg.org/pipermail/gcrypt-devel/2019-July/004760.html |