system/libgcrypt: multiple vulnerabilities
| Bugzilla ID | 119 |
| Alias(es) | CVE-2019-12904, CVE-2019-13627 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-26 12:26:46 -0500 |
| Modified | 2020-06-22 06:22:39 -0500 |
| Status | CONFIRMED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | system/libgcrypt |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-12904 |
Description
In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a
flush-and-reload side-channel attack because physical addresses are
available to other processes. (The C implementation is used on
platforms where an assembly-language implementation is unavailable.)
From gcrypt-devel@gnupg.org: https://lists.gnupg.org/pipermail/gcrypt-devel/2019-July/004760.html
I was wondering if the vulnerability has been determined to be
legitimate and if we will see a new release with this vulnerability
Not yet and thus don't see a reason for any immediate action. In
fact, static tables are very common in crypto software and thus many
more AES implementations would be affected.
Waiting on new release.