Page MenuHome GnuPG

CVE-2018-0495
Closed, ResolvedPublic

Description

This is to track fixes for this side channel attack.

Timeline:

  • 2018-05-24 - security@gnupg org was notified and received a draft paper
  • 2018-05-28 - @gniibe proposed a first patch for evaluation
  • 2018-05-28 - a CVE id was assigned on the researches request
  • 2018-05-31 - we received confirmation that the patch mitigates the issue.
  • 2018-06-13 - we released new Libgcrypt versions and a new windows installer.
  • 2018-06-13 - public disclosure by NCC Group

Details

Due Date
Jun 13 2018, 12:00 AM

Related Objects

StatusAssignedTask
ResolvedNone
Resolved werner

Event Timeline

werner created this object with visibility "Subscribers".
werner created this object with edit policy "Subscribers".

Publication is planned for the 13th, 1500Z

In master, it's

commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
Author: NIIBE Yutaka <gniibe@fsij.org>
Date:   Wed Jun 13 15:28:58 2018 +0900

    ecc: Add blinding for ECDSA.

and

[LIBGCRYPT-1.8-BRANCH 9be06c6b] ecc: Add blinding for ECDSA.
[LIBGCRYPT-1-7-BRANCH 325ab0b3] ecc: Add blinding for ECDSA.

Pushed fixes to the repository at 16:00+0900 (09:00+0200). It's 0700Z.

Releases are now available. Next task is to build a new GnuPG Windows installer.

A new installer for GnuPG with Libgcrypt 1.8.3 is now available.

werner changed the visibility from "Subscribers" to "Public (No Login Required)".

Informed Debian security team about our change of libgcrypt.

werner updated the task description. (Show Details)