A vulnerability in Libgcrypt could allow a local attacker to recover sensitive information.
Package | dev-libs/libgcrypt on all architectures |
---|---|
Affected versions | < 1.8.5 |
Unaffected versions | >= 1.8.5 |
Libgcrypt is a general purpose cryptographic library derived out of GnuPG.
A timing attack was found in the way ECCDSA was implemented in Libgcrypt.
A local man-in-the-middle attacker, during signature generation, could possibly recover the private key.
There is no known workaround at this time.
All Libgcrypt users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.8.5"
Release date
March 15, 2020
Latest revision
March 15, 2020: 1
Severity
low
Exploitable
local
Bugzilla entries