Mailing List Archive

CVE-2019-12904 and the next libgcrypt release.
Hi!

LIBGCRYPT developers and users are aware of the libgcrypt vulnerability CVE-2019-12904:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904

libgcrypt master branch has 2 commits that address this vulnerability:

https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762

Since these commits are in the master branch, and the latest libgcrypt release
is 1.8.4 (diverged branch), the 2 commits do not apply without conflicts onto
the libgcrypt-1.8.4 branch HEAD with no conflicts.

Would anyone know:

1) What the next release (with the CVE-2019-12904 fixes) is going to be (1.8.5 / 1.9) ?
2) When the next release (with the CVE-2019-12904 fixes) will be announced?

Thanks for any feedback on this issue!
_
Asif

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: CVE-2019-12904 and the next libgcrypt release. [ In reply to ]
On Fri, 21 Jun 2019 20:08, gcrypt-devel@gnupg.org said:

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904

See https://dev.gnupg.org/T4541 where I commented:

Andreas, I wonder on which grounds you assigned a CVE for this claimed
side-channel attack. The mentioned paper is about an old RSA
side-channel and not on AES. I would like to see more facts than the
reference to a guy who "knows PPC pretty well".


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: CVE-2019-12904 and the next libgcrypt release. [ In reply to ]
On 2019-06-23 Werner Koch via Gcrypt-devel <gcrypt-devel@gnupg.org> wrote:
> On Fri, 21 Jun 2019 20:08, gcrypt-devel@gnupg.org said:
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904

> See https://dev.gnupg.org/T4541 where I commented:

> Andreas, I wonder on which grounds you assigned a CVE for this claimed
> side-channel attack. The mentioned paper is about an old RSA
> side-channel and not on AES. I would like to see more facts than the
> reference to a guy who "knows PPC pretty well".

Hello Werner,

I did not assign (or request) the CVE, I just did a little bit of
housekeeping, adding a pointer to the CVE number in the bug report. ;-)

cu Andreas

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
RE: CVE-2019-12904 and the next libgcrypt release. [ In reply to ]
Hi Werner, Andreas!

I was wondering if the vulnerability has been determined to be
legitimate and if we will see a new release with this vulnerability
addressed?
If so, I am look to understand a timeline, so that I can address
this issue with our Clear Linux libgcrypt package release schedule.

Thanks very much, and I really appreciate any feedback/help!
_
Asif

On 2019-06-23 Werner Koch via Gcrypt-devel <gcrypt-devel at gnupg.org> wrote:
> On Fri, 21 Jun 2019 20:08, gcrypt-devel at gnupg.org said:
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904

> See https://dev.gnupg.org/T4541 where I commented:

> Andreas, I wonder on which grounds you assigned a CVE for this claimed
> side-channel attack. The mentioned paper is about an old RSA
> side-channel and not on AES. I would like to see more facts than the
> reference to a guy who "knows PPC pretty well".

Hello Werner,

I did not assign (or request) the CVE, I just did a little bit of
housekeeping, adding a pointer to the CVE number in the bug report. ;-)

cu Andreas

-----Original Message-----
From: Werner Koch [mailto:wk@gnupg.org]
Sent: Sunday, June 23, 2019 8:50 AM
To: Haswarey, Asif via Gcrypt-devel <gcrypt-devel@gnupg.org>
Cc: Haswarey, Asif <asif.haswarey@intel.com>; ametzler@debian.org
Subject: Re: CVE-2019-12904 and the next libgcrypt release.

On Fri, 21 Jun 2019 20:08, gcrypt-devel@gnupg.org said:

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904

See https://dev.gnupg.org/T4541 where I commented:

Andreas, I wonder on which grounds you assigned a CVE for this claimed side-channel attack. The mentioned paper is about an old RSA side-channel and not on AES. I would like to see more facts than the reference to a guy who "knows PPC pretty well".


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: CVE-2019-12904 and the next libgcrypt release. [ In reply to ]
On Wed, 26 Jun 2019 18:13, asif.haswarey@intel.com said:

> I was wondering if the vulnerability has been determined to be
> legitimate and if we will see a new release with this vulnerability

Not yet and thus don't see a reason for any immediate action. In fact,
static tables are very common in crypto software and thus many more AES
implementations would be affected.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.