#14534: libgcrypt-1.9.1
-----------------------------+-----------------------
Reporter: pierre.labastie | Owner: renodr
Type: enhancement | Status: assigned
Priority: normal | Milestone: 10.1
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-----------------------------+-----------------------
Comment (by renodr):
Now 1.9.1
{{{
Hello!
We have to announce the availability of Libgcrypt version 1.9.1.
This version fixes a *critical security bug* in the recently released
version 1.9.0. If you are already using 1.9.0 please update immediately
to 1.9.1.
Libgcrypt is a general purpose library of cryptographic building blocks.
It is originally based on code used by GnuPG. It does not provide any
implementation of OpenPGP or other protocols. Thorough understanding of
applied cryptography is required to use Libgcrypt.
Impact and timeline
===================
Only one released version is affected:
- Libgcrypt 1.9.0 (released 2021-01-19)
All other versions are not affected.
On 2021-01-28 Tavis Ormandy contacted us to report a severe bug in 1.9.0
which he found while testing GnuPG:
There is a heap buffer overflow in libgcrypt due to an incorrect
assumption in the block buffer management code. Just decrypting some
data can overflow a heap buffer with attacker controlled data, no
verification or signature is validated before the vulnerability
occurs.
The bug was introduced during the the 1.9 development phase about two
years ago with commit e76617cbab018dd8f41fd6b4ec6740b5303f7e13 (Reduce
overhead on generic hash write function).
Exploiting this bug is simple and thus immediate action for 1.9.0 users
is required. A CVE-id has not yet been assigned. We track this bug at
https://dev.gnupg.org/T5275. The 1.9.0 tarballs on our FTP server have
been renamed so that scripts won't be able to get this version anymore.
Solution
========
If Libgcrypt versions 1.9.0 is in use please update immediately to
version 1.9.1.
If you are using the 1.8 LTS branch you are not affected. While you are
checking anyway please make sure that you have at least 1.8.5.
If you are using a development version build taken from our Git
repository you need to update as well. NB: The use of non-released
versions in a production environment is strongly discouraged.
There is yet no released GnuPG version hich requires Libgcrypt 1.9
Noteworthy changes in Libgcrypt 1.9.1
=====================================
* Bug fixes:
- *Fix exploitable bug* in hash functions introduced with 1.9.0.
[#5275]
- Return an error if a negative MPI is used with sexp scan
functions. [#4964]
- Check for operational FIPS in the random and KDF functions.
[#5243]
- Fix compile error on ARMv7 with NEON disabled. [#5251]
- Fix self-test in KDF module. [#5254]
- Improve assembler checks for better LTO support. [#5255]
- Fix assember problem on macOS running on M1. [#5157]
- Support older macOS without posix_spawn. [#5159]
- Fix 32-bit cross build on x86. [#5257]
- Fix non-NEON ARM assembly implementation for SHA512. [#5263]
- Fix build problems with the cipher_bulk_ops_t typedef. [#5264]
- Fix Ed25519 private key handling for preceding ZEROs. [#5267]
- Fix overflow in modular inverse implementation. [#5269]
- Fix register access for AVX/AVX2 implementations of Blake2.
[#5271].
* Performance:
- Add optimized cipher and hash functions for s390x/zSeries.
- Use hardware bit counting functionx when available.
* Internal changes:
- The macOS getentropy syscall is used when available. [#5268]
- Update DSA functions to match FIPS 186-3. [30ed9593f6]
- New self-tests for CMACs and KDFs. [385a89e35b,7a0da24925]
- Add bulk cipher functions for OFB and GCM modes.
[f12b6788f2,f4e63e92dc]
For a list of links to commits and bug numbers
see the release info at https://dev.gnupg.org/T5259
}}}
Even though we don't have 1.9.0 in the book right now, if anyone did
install it, please make sure that you update ASAP.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14534#comment:3>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
