Gentoo update for GnuPG

Published: 2016-06-05 | Updated: 2016-09-25

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2014-3591 CVE-2015-0837
CWE-ID	CWE-200 CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Gentoo Linux Operating systems & Components / Operating system
Vendor	Gentoo

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU30571

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-3591

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

Mitigation

Update the affected packages.
app-crypt/gnupg to version: 2.0.26-r3
dev-libs/libgcrypt to version: 1.6.3-r4

Vulnerable software versions

Gentoo Linux: All versions

External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/201606-04

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU33822

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-0837

CWE-ID: CWE-20 - Improper input validation