Page MenuHome GnuPG

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

This bug has an associated CVE id.

Such bugs often have restricted access before the publication. Take care that this bug tracker does not yet encrypt mails to subscribers, so for highly sensitive issues take care what you comment in the report while it is still restricted.

Recent Activity

Dec 22 2022

werner added a project to T6284: Another integer overflow in Libksba: CVE.

This bug is CVE-2022-47629

Dec 22 2022, 10:48 AM · CVE, Bug Report, libksba

Dec 6 2022

werner updated the task description for T6230: Release Libksba 1.6.2 (CVE-2022-3515).
Dec 6 2022, 2:23 PM · CVE, Release Info, libksba

Oct 28 2022

werner closed T5947: Release GnuPG 2.3.7 as Resolved.
Oct 28 2022, 4:05 PM · CVE, Release Info, gnupg (gpg23)

Oct 18 2022

werner closed T6230: Release Libksba 1.6.2 (CVE-2022-3515) as Resolved.
Oct 18 2022, 7:52 AM · CVE, Release Info, libksba

Oct 17 2022

werner added a comment to T6230: Release Libksba 1.6.2 (CVE-2022-3515).

Fixed Gpg4win version: https://lists.wald.intevation.org/pipermail/gpg4win-announce/2022/000098.html

Oct 17 2022, 3:03 PM · CVE, Release Info, libksba
werner set External Link to https://gnupg.org/blog/20221017-pepe-left-the-ksba.html on T6230: Release Libksba 1.6.2 (CVE-2022-3515).
Oct 17 2022, 9:26 AM · CVE, Release Info, libksba
werner added a comment to T6230: Release Libksba 1.6.2 (CVE-2022-3515).

As usual see https://gnupg.org/download for links to the latest packages. For Gpg4win see https://gpg4win.org

Oct 17 2022, 9:25 AM · CVE, Release Info, libksba
werner reopened T6230: Release Libksba 1.6.2 (CVE-2022-3515) as "Open".
Oct 17 2022, 7:56 AM · CVE, Release Info, libksba
werner renamed T6230: Release Libksba 1.6.2 (CVE-2022-3515) from Release Libksba 1.6.2 to Release Libksba 1.6.2 (CVE-2022-3515).
Oct 17 2022, 7:56 AM · CVE, Release Info, libksba
werner updated the task description for T6230: Release Libksba 1.6.2 (CVE-2022-3515).
Oct 17 2022, 7:46 AM · CVE, Release Info, libksba

Oct 11 2022

werner added a project to T6230: Release Libksba 1.6.2 (CVE-2022-3515): CVE.
Oct 11 2022, 10:43 AM · CVE, Release Info, libksba

Jul 29 2022

bernhard added a comment to T5947: Release GnuPG 2.3.7.

As 2.3.7 was released on the 11th of July, see https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
I guess that this issue should be closed and some issues moved to one with 2.3.8.

Jul 29 2022, 2:55 PM · CVE, Release Info, gnupg (gpg23)

Jul 26 2022

werner closed T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high) as Resolved.
Jul 26 2022, 9:17 PM · gnupg (gpg22), CVE, gpg4win
werner updated the task description for T5947: Release GnuPG 2.3.7.
Jul 26 2022, 7:40 PM · CVE, Release Info, gnupg (gpg23)
werner closed T5949: Release GnuPG 2.2.36 as Resolved.
Jul 26 2022, 7:34 PM · CVE, gnupg (gpg22), Release Info
werner updated the task description for T5949: Release GnuPG 2.2.36.
Jul 26 2022, 7:31 PM · CVE, gnupg (gpg22), Release Info

Apr 7 2022

werner added a comment to T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high).

Updated the copy on our mirror as welll as the gpg4win and swdb packages files.

Apr 7 2022, 11:45 AM · gnupg (gpg22), CVE, gpg4win

Apr 5 2022

werner lowered the priority of T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high) from Unbreak Now! to High.

The fix is from 2018 but was not picked up widely; see
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

Apr 5 2022, 12:14 PM · gnupg (gpg22), CVE, gpg4win

Mar 17 2022

werner closed T5880: Old version of Zlib in GnuPG as Resolved.

SWDB updated - thus the latest zlib will be part of the next Windows build.

Mar 17 2022, 8:04 AM · CVE, gnupg (gpg22), gpg4win

Mar 15 2022

werner raised the priority of T5880: Old version of Zlib in GnuPG from Low to Normal.

All 4 CVEs are findings related to standard conforming compiler optimizations which OTOH break long standing assumptions on C coding. “Let us show that our compiler produces the fastes code ever and ignore any assumptions coders had made over the last 50 year”.

Mar 15 2022, 3:22 PM · CVE, gnupg (gpg22), gpg4win

Sep 14 2021

mdeslaur added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

Thanks for the clarification!

Sep 14 2021, 12:41 PM · side-channel, CVE, libgcrypt
gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

The problem of (2), is local side-channel attacks to ElGamal encryption.
We evaluated the impact, mainly for the use case of GnuPG; ElGamal keys are not that popular any more. When such an attack is possible, easier attacks would be possible.

Sep 14 2021, 7:52 AM · side-channel, CVE, libgcrypt
gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

The paper addresses two issues.
(1) https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
(2) https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2

Sep 14 2021, 7:46 AM · side-channel, CVE, libgcrypt

Sep 13 2021

mdeslaur added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

I looks like the "cipher: Hardening ElGamal by introducing exponent blinding too." commit [1] was never applied to 1.8.x. Is that intentional? If so, is there a specific reasoning that it's not needed in 1.8.x? Thanks!

Sep 13 2021, 2:55 PM · side-channel, CVE, libgcrypt

Aug 22 2021

werner closed T5328: On the (in)security of Elgamal in OpenPGP as Resolved.
Aug 22 2021, 6:13 PM · side-channel, CVE, libgcrypt

Jul 12 2021

werner set External Link to https://eprint.iacr.org/2021/923.pdf on T5328: On the (in)security of Elgamal in OpenPGP.
Jul 12 2021, 6:11 PM · side-channel, CVE, libgcrypt

Jun 4 2021

werner lowered the priority of T5328: On the (in)security of Elgamal in OpenPGP from High to Normal.
Jun 4 2021, 7:52 AM · side-channel, CVE, libgcrypt
werner changed the visibility for T5328: On the (in)security of Elgamal in OpenPGP.
Jun 4 2021, 7:52 AM · side-channel, CVE, libgcrypt

May 25 2021

gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

CVE-2021-33560

May 25 2021, 2:46 AM · side-channel, CVE, libgcrypt

May 21 2021

gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

Let me rephrase from a viewpoint of mine (an implementer).

May 21 2021, 3:59 AM · side-channel, CVE, libgcrypt

May 20 2021

gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

The paper describes another problem: interoperability (or interpretation) of "ElGamal encryption", and its impact.

May 20 2021, 8:51 AM · side-channel, CVE, libgcrypt

Apr 12 2021

gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

Do we have CVE number assigned?

Apr 12 2021, 7:52 AM · side-channel, CVE, libgcrypt

Apr 9 2021

werner added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

This would be difficult to set up for DSA. Remotely controlled
environment, asking signing same message, using deterministic
DSA... would be not that practical.

Apr 9 2021, 7:15 PM · side-channel, CVE, libgcrypt

Apr 8 2021

gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

So, in my opinion, applying the patch for ElGamal exponent blinding is enough (for now).

Apr 8 2021, 6:22 AM · side-channel, CVE, libgcrypt
gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

For DSA, I had assumed similar attack could be effective.

Apr 8 2021, 6:22 AM · side-channel, CVE, libgcrypt

Mar 31 2021

werner added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

Our tentative plan is:

Mar 31 2021, 1:34 PM · side-channel, CVE, libgcrypt

Mar 24 2021

werner shifted T5328: On the (in)security of Elgamal in OpenPGP from the Restricted Space space to the S1 Public space.
Mar 24 2021, 2:50 PM · side-channel, CVE, libgcrypt
werner changed the visibility for T5328: On the (in)security of Elgamal in OpenPGP.
Mar 24 2021, 2:50 PM · side-channel, CVE, libgcrypt

Mar 11 2021

werner added a project to T5328: On the (in)security of Elgamal in OpenPGP: side-channel.
Mar 11 2021, 4:22 PM · side-channel, CVE, libgcrypt

Feb 25 2021

werner created T5328: On the (in)security of Elgamal in OpenPGP in the Restricted Space space.
Feb 25 2021, 10:01 AM · side-channel, CVE, libgcrypt

Feb 12 2021

werner closed T5259: Release Libgcrypt 1.9.1, a subtask of T5275: Exploitable overflow in Libgcrypt 1.9.0, as Resolved.
Feb 12 2021, 12:34 PM · CVE, libgcrypt

Feb 3 2021

werner closed T5275: Exploitable overflow in Libgcrypt 1.9.0 as Resolved.
Feb 3 2021, 8:07 AM · CVE, libgcrypt

Jan 29 2021

werner changed External Link from https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html to https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html on T5275: Exploitable overflow in Libgcrypt 1.9.0.
Jan 29 2021, 12:34 PM · CVE, libgcrypt
werner changed the status of T5275: Exploitable overflow in Libgcrypt 1.9.0 from Open to Testing.

Fix has been released. Keeping this in testing state for easier visibility of this task.

Jan 29 2021, 11:27 AM · CVE, libgcrypt
werner changed the status of T5259: Release Libgcrypt 1.9.1, a subtask of T5275: Exploitable overflow in Libgcrypt 1.9.0, from Open to Testing.
Jan 29 2021, 11:25 AM · CVE, libgcrypt
werner added a subtask for T5275: Exploitable overflow in Libgcrypt 1.9.0: T5259: Release Libgcrypt 1.9.1.
Jan 29 2021, 10:14 AM · CVE, libgcrypt
werner created T5275: Exploitable overflow in Libgcrypt 1.9.0.
Jan 29 2021, 10:13 AM · CVE, libgcrypt

Sep 4 2020

werner closed T5050: AEAD preference list overflow in 2.2 as Resolved.

Gpg4win 3.113 has also been released. Thus closing this issue.

Sep 4 2020, 5:23 PM · gnupg (gpg22), CVE
werner added a comment to T5050: AEAD preference list overflow in 2.2.

Small correction: The fixed byte I talked about may have the values 1, 2, 3, or 4.

Sep 4 2020, 9:06 AM · gnupg (gpg22), CVE

Sep 3 2020

werner added a comment to T5050: AEAD preference list overflow in 2.2.

This has CVE-2020-25125

Sep 3 2020, 9:56 PM · gnupg (gpg22), CVE