Libgcrypt: Side-channel attack — GLSA 202003-32

A vulnerability in Libgcrypt could allow a local attacker to recover sensitive information.

Affected packages

dev-libs/libgcrypt on all architectures
Affected versions < 1.8.5
Unaffected versions >= 1.8.5

Background

Libgcrypt is a general purpose cryptographic library derived out of GnuPG.

Description

A timing attack was found in the way ECCDSA was implemented in Libgcrypt.

Impact

A local man-in-the-middle attacker, during signature generation, could possibly recover the private key.

Workaround

There is no known workaround at this time.

Resolution

All Libgcrypt users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.8.5"
 

References

Release date
March 15, 2020

Latest revision
March 15, 2020: 1

Severity
low

Exploitable
local

Bugzilla entries