[Bug 1785176] Re: GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526

Alex Murray alex.murray at canonical.com
Fri Aug 3 06:57:44 UTC 2018 

Thanks for reporting this - FYI you can see the status of each CVE via
the CVE tracker http://people.canonical.com/~ubuntu-security/cve/

ie.

https://people.canonical.com/~ubuntu-
security/cve/2017/CVE-2017-7526.html

This CVE was triaged against libgrypt only - not against gnupg1 - and
all the upstream CVE trackers only seem to reference this CVE against
libgcrypt. I can see the mention of CVE-2017-7526 on their homepage for
GnuPG 1.4.23, however looking at the changes for 1.4.23 I can see no
commits that appear relevant to this CVE: https://git.gnupg.org/cgi-
bin/gitweb.cgi?p=gnupg.git;a=shortlog;h=refs/heads/STABLE-BRANCH-1-4

However, if we look at the changes that went into 1.4.22 then there are
a bunch of changes which look analogous to the ones for libgrypt for
CVE-2017-7526:

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=b38f4489f75e6e435886aa885807738a22c7ff60
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=12029f83fd0ab3e8ad524f6c9135854662fddfd1
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=554ded4854758bf6ca268432fa087f946932a409
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8fd9f72e1b2e578e45c98c978cab4f6d47683d2c

Also I can't see any release annoucements for 1.4.22 or 1.4.23 in gnupg-
announce either which is unfortunate.

I will retriage this against gnupg1 as well and this will be fixed soon.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1785176

Title:
  GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526

Status in gnupg package in Ubuntu:
  New

Bug description:
  According to the information at the GnuPG Web site
  (https://www.gnupg.org/), GnuPG 1.4.23 was released on 2018-06-11 "to
  address the critical security bug CVE-2017-7526."

  https://www.gnupg.org/
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526

  In addition, according to the information on the GnuPG news page
  (https://www.gnupg.org/news.html) GnuPG 1.4.22 was released on
  2017-07-19 "to address the recently published local side channel
  attack CVE-2017-7526."

  https://www.gnupg.org/news.html
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526

  On the same page, it is mentioned that GnuPG 1.4.21 was released
  around 2016-08-17 to address the issue in CVE-2016-6313.

  https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html (Note that the CVE id in the message is not correct)
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313

  The changelog for the gnupg package version 1.4.20-1ubuntu3.2 mentions
  fixes for CVE-2018-12020 and CVE-2016-6313. There is no mention of
  CVE-2017-7526.

  http://changelogs.ubuntu.com/changelogs/pool/main/g/gnupg/gnupg_1.4.20-1ubuntu3.2/changelog

  Your attention to this issue is appreciated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1785176/+subscriptions

More information about the foundations-bugs mailing list