The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. References: https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1 https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2 https://eprint.iacr.org/2021/923
Created libgcrypt tracking bugs for this issue: Affects: fedora-all [bug 2002818] Created mingw-libgcrypt tracking bugs for this issue: Affects: fedora-all [bug 2002819]
Heya, my reading of the paper in [1] suggests it is about CVE-2021-33560 which was already fixed in libgcrypt 1.8.8. The part 2 [2] discus the side channel attack, but references the same commit as a fix. Can you clarify what is here expected to be fixed in libgcrypt, when it has separate CVE number? [1] https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1 [2] https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2 [3] https://github.com/gpg/libgcrypt/commit/632d80ef3
Todd, I did not see any question in your last comment so I am removing the needinfo. Just found out this CVE was discussed in the upstream issue handling this: https://dev.gnupg.org/T5328#149606 They claim that this new CVE is about the side-channel attacks and upstream do not consider it as a vulnerability for various reasons. But I would love if you could get some clarification of the CVE page. It is very unclear, not mentioning the fix, upstream issue, anything, just the 1.9.4 version [2]. The CVE-2021-33560 was fixed also in 1.8.8 and in 1.9.3 (which is not correct either -- it is mentioned in the NEWS, but the patch is only in 1.9.4) [3]. I will close the Fedora bug as all the updates are already in stable. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528 [2] https://dev.gnupg.org/source/libgcrypt/browse/master/NEWS;libgcrypt-1.9.4$6 [3] https://dev.gnupg.org/source/libgcrypt/browse/master/NEWS;libgcrypt-1.8.8$14
In reply to comment #5: > Todd, I did not see any question in your last comment so I am removing the > needinfo. > > Just found out this CVE was discussed in the upstream issue handling this: > > https://dev.gnupg.org/T5328#149606 > > They claim that this new CVE is about the side-channel attacks and upstream > do not consider it as a vulnerability for various reasons. > > But I would love if you could get some clarification of the CVE page. It is > very unclear, not mentioning the fix, upstream issue, anything, just the > 1.9.4 version [2]. The CVE-2021-33560 was fixed also in 1.8.8 and in 1.9.3 > (which is not correct either -- it is mentioned in the NEWS, but the patch > is only in 1.9.4) [3]. I'd be happy to check, but I do not have a clear communication stream with upstream at the moment. If we can get ahold of gniibe, that would be helpful. I've tried to register for an account there but am in a moderator queue for approval.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5311 https://access.redhat.com/errata/RHSA-2022:5311
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40528