CVE-2017-0379

Source
Severity Medium
Remote No
Type Private key recovery
Description
Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. On multi user systems or on boxes with virtual machines this attack may be used to steal private keys.
Group Package Affected Fixed Severity Status Ticket
AVG-403 lib32-libgcrypt 1.8.0-1 1.8.1-1 Medium Fixed
AVG-402 libgcrypt 1.8.0-1 1.8.1-1 Medium Fixed
Date Advisory Group Package Severity Description
18 Sep 2017 ASA-201709-14 AVG-403 lib32-libgcrypt Medium private key recovery
18 Sep 2017 ASA-201709-13 AVG-402 libgcrypt Medium private key recovery
References
https://lists.gnupg.org/pipermail/gnupg-announce/2017q3/000414.html
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9
https://eprint.iacr.org/2017/806