Ubuntu
gnupg package

GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526

Bug #1785176 reported by Elegie
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnupg (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

According to the information at the GnuPG Web site (https://www.gnupg.org/), GnuPG 1.4.23 was released on 2018-06-11 "to address the critical security bug CVE-2017-7526."

https://www.gnupg.org/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526

In addition, according to the information on the GnuPG news page (https://www.gnupg.org/news.html) GnuPG 1.4.22 was released on 2017-07-19 "to address the recently published local side channel attack CVE-2017-7526."

https://www.gnupg.org/news.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526

On the same page, it is mentioned that GnuPG 1.4.21 was released around 2016-08-17 to address the issue in CVE-2016-6313.

https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html (Note that the CVE id in the message is not correct)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313

The changelog for the gnupg package version 1.4.20-1ubuntu3.2 mentions fixes for CVE-2018-12020 and CVE-2016-6313. There is no mention of CVE-2017-7526.

http://changelogs.ubuntu.com/changelogs/pool/main/g/gnupg/gnupg_1.4.20-1ubuntu3.2/changelog

Your attention to this issue is appreciated.

CVE References

Alex Murray (alexmurray)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thank you for your attention to detail. CVE-2017-7526 was fixed in USN-3347-1 and -2 by patching the libgcrypt20 and libgcrypt11 source packages:

https://usn.ubuntu.com/3347-1/
https://usn.ubuntu.com/3347-2/

You can track our work per-cve on https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7526.html and similar pages, which will show the source packages that may be affected by any given CVE.

Thanks

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for reporting this - FYI you can see the status of each CVE via the CVE tracker http://people.canonical.com/~ubuntu-security/cve/

ie.

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7526.html

This CVE was triaged against libgrypt only - not against gnupg1 - and all the upstream CVE trackers only seem to reference this CVE against libgcrypt. I can see the mention of CVE-2017-7526 on their homepage for GnuPG 1.4.23, however looking at the changes for 1.4.23 I can see no commits that appear relevant to this CVE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=shortlog;h=refs/heads/STABLE-BRANCH-1-4

However, if we look at the changes that went into 1.4.22 then there are a bunch of changes which look analogous to the ones for libgrypt for CVE-2017-7526:

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=b38f4489f75e6e435886aa885807738a22c7ff60
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=12029f83fd0ab3e8ad524f6c9135854662fddfd1
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=554ded4854758bf6ca268432fa087f946932a409
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fd9f72e1b2e578e45c98c978cab4f6d47683d2c

Also I can't see any release annoucements for 1.4.22 or 1.4.23 in gnupg-announce either which is unfortunate.

I will retriage this against gnupg1 as well and this will be fixed soon.

Revision history for this message
Alex Murray (alexmurray) wrote :

https://usn.ubuntu.com/3733-1/

Changed in gnupg (Ubuntu):
status: New → Fix Released
Mathew Hodson (mhodson)
Changed in gnupg (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.