Re: [Announce] [security fix] Libgcrypt and GnuPG
On Fri, 08 Aug 2014 12:17:06 +0200 Werner Koch wrote: > Hi! > > While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed > to describe [2] a software combination which has not been fixed and is > thus vulnerable to the attack described by the paper. If you are using > a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to > mount the described side-channel attack on Elgamal encryption subkeys. > To check whether you are using a vulnerable Libgcrypt version, enter > > gpg2 --version > > on the command line; the second line of the output gives the Libgcrypt > version: > > gpg (GnuPG) 2.0.25 > libgcrypt 1.5.3 > > In this example Libgcrypt is vulnerable. If you see 1.6.0 or 1.6.1 you > are fine. GnuPG versions since 1.4.16 are not affected because they do > not use Libgcrypt. > > The recommendation is to update any Libgcrypt version below 1.6.0 to at > least the latest version from the 1.5 series which is 1.5.4. Updating > to 1.6.1 is also possible but that requires to rebuild GnuPG. > > Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I > include the download instructions below. A CVE-id has not yet been > assigned. > > Many thanks to Daniel Genkin for pointing out this problem. > > > Shalom-Salam, > >Werner > > > [1] http://www.cs.tau.ac.il/~tromer/handsoff > [2] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000349.html > [3] http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html > > Download > > > Libgcrypt source code is hosted at the GnuPG FTP server and its mirrors > as listed at https://www.gnupg.org/download/mirrors.html . On the > primary server the source tarball and its digital signature are: > > ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2 (1478k) > ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.bz2.sig > > That file is bzip2 compressed. A gzip compressed version is here: > > ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz (1763k) > ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.4.tar.gz.sig > > Alternativley you may upgrade using this patch file: > > ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3-1.5.4.diff.bz2 (17k) > > In order to check that the version of Libgcrypt you are going to build > is an original and unmodified one, you can do it in one of the following > ways: > > * Check the supplied OpenPGP signature. For example to check the >signature of the file libgcrypt-1.5.4.tar.bz2 you would use this >command: > > gpg --verify libgcrypt-1.5.4.tar.bz2.sig > >This checks whether the signature file matches the source file. You >should see a message indicating that the signature is good and made >by the release signing key 4F25E3B6 which is certified by my well >known key 1E42B367. To retrieve the keys you may use the command >"gpg --fetch-key finger:w...@g10code.com". > > * If you are not able to use GnuPG, you have to verify the SHA-1 >checksum: > > sha1sum libgcrypt-1.5.4.tar.bz2 > >and check that the output matches the first line from the >following list: > > bdf4b04a0d2aabc04ab3564fbe38fd094135aa7a libgcrypt-1.5.4.tar.bz2 > 71e432e0ae8792076a40c6059667997250abbb9d libgcrypt-1.5.4.tar.gz > 8876ae002751e6ec26c76e510d17fc3e0eccb3ed libgcrypt-1.5.3-1.5.4.diff.bz2 > > > Watching out for possible security problems and working with researches > to fix them takes a lot of time. g10 Code GmbH, a German company owned > and headed by me, is bearing these costs. To help us carry on this > work, we need your support; please see https://gnupg.org/donate/ . > Skimming through the description, does it mean that users with OpenPGP cards should be impervious to this attack? Can the attack be used to leak symmetric keys during the GnuPG operation? Best regards -- Branko Majic Jabber: bra...@majic.rs Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: bra...@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] Libgcrypt and GnuPG
On Sat, Aug 9, 2014 at 10:49 AM, Werner Koch wrote: > On Sat, 9 Aug 2014 01:24, p...@heypete.com said: > >>> The GPG4Win folks are gearing up for a new release this August. >> >> Excellent. I look forward to it. > > The problem with gpg4win is that it is hard to build in particular the > KDE stuff can't be easily cross compiled. It is quite some work to > maintain this software and donations are very low. My tentative plan is > now to separate GnuPG proper from the other stuff and provide it as a > separate installer (for gnupg 2.1) I'll bet. Fortunately, there are decent Windows front-ends for mail-related tasks like Enigmail. Not much for file-related tasks, though. I would definitely be happy if the GPG binary was packaged separately: I almost never use GPA or other GUI tools that come with the package. Thanks for the reminder regarding donations: I really should chip in a bit more this year. Cheers! -Pete -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: [Enigmail] [ANN] Enigmail v1.7 available
On Saturday, 2014-08-09 12:03:28 Johan Wevers wrote: > Not compatible with Thunderbird 3.1.20. And considering the way Mozilla > is currently adding bloat to all its programs (Hi Netscape 4.0), I don't > see any reason to upgrade. I had to read the Thunderbird version string twice before understanding what you are saying. If you believe you found a defect you should file a proper bug report. Given that the Enigmail page on addons.mozilla.org says "Works with Thunderbird 24.0 - 34.0", it looks like your version of Thunderbird is not supported. Samir -- Samir Nassar sa...@samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 Public Key: https://samirnassar.com/files/key.asc signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: [Enigmail] [ANN] Enigmail v1.7 available
On Sat, 09 Aug 2014 12:03:28 +0200, Johan Wevers wrote: > On 19-07-2014 15:29, John Clizbe wrote: > >> As there are many Enigmail users who read this list, but not [Enigmail], I'm >> forwarding the announcement of the newest release of Enigmail, v1.7. >> There are quite a few changes in this release. > > Not compatible with Thunderbird 3.1.20. And considering the way Mozilla > is currently adding bloat to all its programs (Hi Netscape 4.0), I don't > see any reason to upgrade. Thunderbird 3.1.20 was released in March 2012. There are more than 200 security vulnerabilities fixed after release of 3.1.20... The last version compatible with Thunderbird 3.1.20 is Enigmail 1.1.2, released in June 2010. Current Enigmail 1.7 supports only Thunderbird 31 and 24. I strongly recommend you to upgrade at least to Thunderbird 24.7.0 and Enigmail 1.7. -- Kosuke Kaizuka signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: [Enigmail] [ANN] Enigmail v1.7 available
On 19-07-2014 15:29, John Clizbe wrote: > As there are many Enigmail users who read this list, but not [Enigmail], I'm > forwarding the announcement of the newest release of Enigmail, v1.7. > There are quite a few changes in this release. Not compatible with Thunderbird 3.1.20. And considering the way Mozilla is currently adding bloat to all its programs (Hi Netscape 4.0), I don't see any reason to upgrade. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] Libgcrypt and GnuPG
On Sat, 9 Aug 2014 01:24, p...@heypete.com said: >> The GPG4Win folks are gearing up for a new release this August. > > Excellent. I look forward to it. The problem with gpg4win is that it is hard to build in particular the KDE stuff can't be easily cross compiled. It is quite some work to maintain this software and donations are very low. My tentative plan is now to separate GnuPG proper from the other stuff and provide it as a separate installer (for gnupg 2.1) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg - pgp reading signed files
On Fri, 8 Aug 2014 22:31, joh...@vulcan.xs4all.nl said: > Is there any chance of solving this issue or is rfc1991 considered > abandoned? Right. I does not make any sense to try to be compatible to PGP 2. It is nice that you can decrypt PGP2 files but everything else is useless. Face it: PGP 2 signatures are broken and a good signature status does not mean anything. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
