LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu alert USN-1923-1 (gnupg, libgcrypt11)



From:
    	      Seth Arnold <seth.arnold@canonical.com> 


To:
    	      ubuntu-security-announce@lists.ubuntu.com 


Subject:
    	      [USN-1923-1] GnuPG, Libgcrypt vulnerability 


Date:
    	      Wed, 31 Jul 2013 18:48:37 -0700


Message-ID:
    	      <20130801014837.GA21160@hunt>


Archive-link:
    	      Article, Thread
              


==========================================================================
Ubuntu Security Notice USN-1923-1
August 01, 2013

gnupg, libgcrypt11 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

GnuPG and Libgcrypt could be made to expose sensitive information.

Software Description:
- gnupg: GNU privacy guard - a free PGP replacement
- libgcrypt11: LGPL Crypto library - runtime library

Details:

Yuval Yarom and Katrina Falkner discovered a timing-based information leak,
known as Flush+Reload, that could be used to trace execution in programs.
GnuPG and Libgcrypt followed different execution paths based on key-related
data, which could be used to expose the contents of private keys.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
  gnupg                           1.4.12-7ubuntu1.1
  libgcrypt11                     1.5.0-3ubuntu2.2

Ubuntu 12.10:
  gnupg                           1.4.11-3ubuntu4.2
  libgcrypt11                     1.5.0-3ubuntu1.1

Ubuntu 12.04 LTS:
  gnupg                           1.4.11-3ubuntu2.3
  libgcrypt11                     1.5.0-3ubuntu0.2

Ubuntu 10.04 LTS:
  gnupg                           1.4.10-2ubuntu1.3
  libgcrypt11                     1.4.4-5ubuntu2.2

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1923-1
  CVE-2013-4242

Package Information:
  https://launchpad.net/ubuntu/+source/gnupg/1.4.12-7ubuntu1.1
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.0-3u...
  https://launchpad.net/ubuntu/+source/gnupg/1.4.11-3ubuntu4.2
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.0-3u...
  https://launchpad.net/ubuntu/+source/gnupg/1.4.11-3ubuntu2.3
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.0-3u...
  https://launchpad.net/ubuntu/+source/gnupg/1.4.10-2ubuntu1.3
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.4.4-5u...

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds