-   Slackware (
-   -   [Slackware-security] GnuPG flush+reload attack (lather+rinse+repeat) (

mancha 07-26-2013 04:51 PM

[Slackware-security] GnuPG flush+reload attack (lather+rinse+repeat)
This side-channel vulnerability has been assigned CVE-2013-4242 and affects gnupg 1.4.x (fixed
in 1.4.14) and gnupg 2.0.x via libgcrypt (fixed in libgcrypt 1.5.3).

The purpose of this message is two-fold. On the one hand, I wanted to give Pat a heads up
about the security releases though the urgency is somewhat limited given the complexity of
the attack. That said, GnuPG's reason for being is security so any vulnerability is worth
taking seriously.

I also want to share a very interesting paper describing the attack for those who enjoy
reading this kind of material.

One thing which stood out as I read it was the incredible efficacy of the attack. With only a
single signing/encryption round, over 98% of the bits of an RSA private key could be recovered.


mancha 08-23-2013 08:54 AM


[slackware-security] gnupg / libgcrypt (SSA:2013-215-01)

New gnupg and libgcrypt packages are available for Slackware 12.1, 12.2, 13.0,
13.1, 13.37, 14.0, and -current to fix a security issue. New libgpg-error
packages are also available for Slackware 13.1 and older as the supplied
version wasn't new enough to compile the fixed version of libgcrypt.
Tagging this solved.

All times are GMT -5. The time now is 08:42 PM.