CVE-2018-0495
Closed, ResolvedPublic

Description

This is to track fixes for this side channel attack.

Timeline:

  • 2018-05-24 - security@gnupg org was notified and received a draft paper
  • 2018-05-28 - @gniibe proposed a first patch for evaluation
  • 2018-05-28 - a CVE id was assigned on the researches request
  • 2018-05-31 - we received confirmation that the patch mitigates the issue.
  • 2018-06-13 - we released new Libgcrypt versions and a new windows installer.
  • 2018-06-13 - public disclosure by NCC Group

Details

Due Date
Wed, Jun 13, 12:00 AM

Related Objects

werner created this task.Fri, Jun 8, 9:50 AM
werner created this object with visibility "Subscribers".
werner created this object with edit policy "Subscribers".
werner updated the task description. (Show Details)Fri, Jun 8, 10:12 AM

Publication is planned for the 13th, 1500Z

In master, it's

commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
Author: NIIBE Yutaka <gniibe@fsij.org>
Date:   Wed Jun 13 15:28:58 2018 +0900

    ecc: Add blinding for ECDSA.

and

[LIBGCRYPT-1.8-BRANCH 9be06c6b] ecc: Add blinding for ECDSA.
[LIBGCRYPT-1-7-BRANCH 325ab0b3] ecc: Add blinding for ECDSA.

Pushed fixes to the repository at 16:00+0900 (09:00+0200). It's 0700Z.

Releases are now available. Next task is to build a new GnuPG Windows installer.

A new installer for GnuPG with Libgcrypt 1.8.3 is now available.

werner updated the task description. (Show Details)Wed, Jun 13, 12:40 PM
werner changed the visibility from "Subscribers" to "Public (No Login Required)".

Informed Debian security team about our change of libgcrypt.

werner closed this task as Resolved.Wed, Jun 13, 6:33 PM
werner updated the task description. (Show Details)