Bug 1764018 (CVE-2019-13627) - CVE-2019-13627 libgcrypt: ECDSA timing attack allowing private key leak
Summary: CVE-2019-13627 libgcrypt: ECDSA timing attack allowing private key leak
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-13627
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1764019 1764020 1764021 1764918
Blocks: 1760783
TreeView+ depends on / blocked
 
Reported: 2019-10-22 07:32 UTC by msiddiqu
Modified: 2023-09-07 20:50 UTC (History)
10 users (show)

Fixed In Version: libgcrypt 1.8.5
Doc Type: If docs needed, set a value
Doc Text:
A timing attack was found in the way ECCDSA was implemented in libgcrypt. A man-in-the-middle attacker could use this attack during signature generation to recover the private key. This attack is only feasible when the attacker is local to the machine where the signature is being generated. Attacks over the network or via the internet are not feasible.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:22:43 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4482 0 None None None 2020-11-04 01:22:15 UTC

Comment 1 msiddiqu 2019-10-22 07:33:20 UTC
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1764019]


Created mingw-libgcrypt tracking bugs for this issue:

Affects: epel-7 [bug 1764021]
Affects: fedora-all [bug 1764020]

Comment 2 Huzaifa S. Sidhpurwala 2019-10-24 03:49:44 UTC
Statement:

The versions of libgcrypt shipped with Red Hat Enterprise Linux 5, 6 and 7 do not support ECC, therefore they are not affected by this flaw.

Comment 3 Huzaifa S. Sidhpurwala 2019-10-24 03:49:49 UTC
External References:

https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5
https://dev.gnupg.org/T4683

Comment 8 errata-xmlrpc 2020-11-04 01:22:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4482 https://access.redhat.com/errata/RHSA-2020:4482

Comment 9 Product Security DevOps Team 2020-11-04 02:22:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13627


Note You need to log in before you can comment on or make changes to this bug.