#695 MacGPG2 potentially vulnerable to side-channel attack on RSA secret keys CVE-2017-7526 - MacGPG2

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#695 ✓released

MacGPG2 potentially vulnerable to side-channel attack on RSA secret keys CVE-2017-7526

Reported by Victor Hora | July 4th, 2017 @ 06:07 PM | in 2.2.0 (closed)

Hi,

First and foremost: great work on the project folks!

I've noticed the current build is using libgcrypt 1.6.x from last year.

I'm just wondering if a new build / beta should come out with the latest version (1.7.8) of libgcrypt in light of the new a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster" [1] [2]

"Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used.
Allowing execute access to a box with private keys should be considered
as a game over condition, anyway. Thus in practice there are easier
ways to access the private keys than to mount this side-channel attack.
However, on boxes with virtual machines this attack may be used by one
VM to steal private keys from another VM." [3]

[1] https://eprint.iacr.org/2017/627 [2] https://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.ht... [3] https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html

Thanks!

Comments and changes to this ticket

Support July 5th, 2017 @ 11:01 AM
- Tag set to “”
Assigned to Tender discussion #53719.
steve July 5th, 2017 @ 11:04 AM
- Title changed from “MacGPG2 potentially vulnerable to side-channel attack on RSA secret keys?” to “MacGPG2 potentially vulnerable to side-channel attack on RSA secret keys CVE-2017-7526”
- Tag cleared.
- Importance changed from “” to “Low”
You flagged this item as spam.
Mento July 5th, 2017 @ 11:29 AM
- State changed from “new” to “fixed”
- Assigned user set to “Mento”
Fixed in the nightly.
steve July 5th, 2017 @ 12:00 PM
- State changed from “fixed” to “verified”
macOS 10.12.5
GPG Suite 1925n

verified

gpg2 --version
gpg (GnuPG/MacGPG2) 2.1.21
libgcrypt 1.7.8
Support July 5th, 2017 @ 12:05 PM
- Tag set to “”
Assigned to Tender discussion #2696.
steve July 24th, 2017 @ 03:33 PM
- Tag cleared.
steve September 25th, 2017 @ 04:20 PM
- State changed from “verified” to “released”
[bulk edit]

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Shared Ticket Bins (Sort)

↓↑ drag 20 Open tickets
↓↑ drag 0 Resolved tickets
↓↑ drag 0 This week's tickets

Gpgtools MacGPG2 → 2.2.0

MacGPG2 potentially vulnerable to side-channel attack on RSA secret keys CVE-2017-7526

Comments and changes to this ticket

Support July 5th, 2017 @ 11:01 AM

steve July 5th, 2017 @ 11:04 AM

Mento July 5th, 2017 @ 11:29 AM

steve July 5th, 2017 @ 12:00 PM

Support July 5th, 2017 @ 12:05 PM

steve July 24th, 2017 @ 03:33 PM

steve September 25th, 2017 @ 04:20 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Pages

Gpgtools MacGPG2 → 2.2.0

Keyword searching

MacGPG2 potentially vulnerable to side-channel attack on RSA secret keys CVE-2017-7526

Comments and changes to this ticket

Support July 5th, 2017 @ 11:01 AM

steve July 5th, 2017 @ 11:04 AM

Mento July 5th, 2017 @ 11:29 AM

steve July 5th, 2017 @ 12:00 PM

Support July 5th, 2017 @ 12:05 PM

steve July 24th, 2017 @ 03:33 PM

steve September 25th, 2017 @ 04:20 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Pages