Bug 1730320 (CVE-2019-12904)

Summary: CVE-2019-12904 Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cfergeau, erik-fedora, fidencio, marcandre.lureau, rjones, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[Disputed] A vulnerability has been identified in Libgcrypt due to a flaw in its C implementation of AES. This vulnerability enables a remote attacker to perform a flush-and-reload side-channel attack, potentially accessing sensitive information. The vulnerability arises from the availability of physical addresses to other processes, particularly on platforms lacking an assembly-language implementation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-17 14:38:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1730321, 1752913    
Bug Blocks: 1730324    

Description Marian Rehak 2019-07-16 12:46:41 UTC 
In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)

External Reference:

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html
Comment 1 Marian Rehak 2019-07-16 12:47:11 UTC 
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1730321]
Comment 2 Marco Benatto 2019-09-17 14:38:36 UTC 
This seems more a theoretical attack possibility than and practical one. This seems to be the same opinion from upstream maintainers at https://dev.gnupg.org/T4541.
Given that, the patches looks like much more a hardening. I'm closing this bug as WONTFIX for now.
Comment 3 Marco Benatto 2019-09-17 14:44:27 UTC 
Created mingw-libgcrypt tracking bugs for this issue:

Affects: epel-7 [bug 1752913]
Comment 4 TEJ RATHI 2024-02-01 08:01:31 UTC 
During governance (for flaws missing doctext), this CVE was encountered and listed on a customer portal[1] for no description available.

Added appropriate doctext and statement.

[1] https://access.redhat.com/security/security-updates/cve?q=No+description+is+available&p=1&sort=cve_publicDate+desc&rows=10&documentKind=Cve