Page MenuHome GnuPG
Create Task
Maniphest T4011

CVE-2018-0495
Closed, ResolvedPublic
Actions

Description

This is to track fixes for this side channel attack.

Timeline:

  • 2018-05-24 - security@gnupg org was notified and received a draft paper
  • 2018-05-28 - @gniibe proposed a first patch for evaluation
  • 2018-05-28 - a CVE id was assigned on the researches request
  • 2018-05-31 - we received confirmation that the patch mitigates the issue.
  • 2018-06-13 - we released new Libgcrypt versions and a new windows installer.
  • 2018-06-13 - public disclosure by NCC Group

Details

Due Date
Jun 13 2018, 12:00 AM

Related Objects
Search...

StatusAssignedTask
 ResolvedNoneT4011 CVE-2018-0495
 Resolved wernerT4016 Libgcrypt release 1.8.3

Event Timeline

werner created this task.Jun 8 2018, 9:50 AM
werner created this object with visibility "Subscribers".
werner created this object with edit policy "Subscribers".
werner updated the task description. (Show Details)Jun 8 2018, 10:12 AM
werner added a project: CVE.Jun 8 2018, 10:15 AM
werner created subtask T4016: Libgcrypt release 1.8.3.Jun 11 2018, 9:55 AM
werner added a subscriber: kryan_ncc.Jun 12 2018, 1:12 PM

Publication is planned for the 13th, 1500Z

gniibe added a comment.Jun 13 2018, 8:59 AM

In master, it's

commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
Author: NIIBE Yutaka <gniibe@fsij.org>
Date:   Wed Jun 13 15:28:58 2018 +0900

    ecc: Add blinding for ECDSA.

and

[LIBGCRYPT-1.8-BRANCH 9be06c6b] ecc: Add blinding for ECDSA.
[LIBGCRYPT-1-7-BRANCH 325ab0b3] ecc: Add blinding for ECDSA.
gniibe added a comment.Jun 13 2018, 9:05 AM

Pushed fixes to the repository at 16:00+0900 (09:00+0200). It's 0700Z.

werner closed subtask T4016: Libgcrypt release 1.8.3 as Resolved.Jun 13 2018, 10:39 AM

Releases are now available. Next task is to build a new GnuPG Windows installer.

werner added a comment.Jun 13 2018, 12:38 PM

A new installer for GnuPG with Libgcrypt 1.8.3 is now available.

werner updated the task description. (Show Details)Jun 13 2018, 12:40 PM
werner changed the visibility from "Subscribers" to "Public (No Login Required)".
gniibe added a comment.Jun 13 2018, 1:02 PM

Informed Debian security team about our change of libgcrypt.

werner added a comment.Jun 13 2018, 5:40 PM

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

werner added a comment.Jun 13 2018, 6:32 PM

Here is our announcement: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html

werner closed this task as Resolved.Jun 13 2018, 6:33 PM
werner updated the task description. (Show Details)
werner mentioned this in T4294: Release Libgcrypt 1.9.0.Jan 19 2021, 10:17 AM