CVE-2016-6313

NameCVE-2016-6313
DescriptionThe mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-600-1, DLA-602-1, DSA-3649-1, DSA-3650-1
NVD severitymedium (attack range: remote)
Debian Bugs834893, 834894

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg (PTS)wheezy1.4.12-7+deb7u7vulnerable
wheezy (security)1.4.12-7+deb7u8fixed
jessie1.4.18-7+deb8u3fixed
jessie (security)1.4.18-7+deb8u2fixed
gnupg1 (PTS)buster, sid, stretch1.4.21-4fixed
gnupg2 (PTS)wheezy, wheezy (security)2.0.19-2+deb7u2fixed
jessie2.0.26-6+deb8u1fixed
stretch2.1.18-6fixed
buster, sid2.1.18-8fixed
libgcrypt11 (PTS)wheezy1.5.0-5+deb7u4vulnerable
wheezy (security)1.5.0-5+deb7u6fixed
libgcrypt20 (PTS)jessie1.6.3-2+deb8u2fixed
jessie (security)1.6.3-2+deb8u4fixed
stretch1.7.6-2fixed
stretch (security)1.7.6-2+deb9u1fixed
buster, sid1.7.8-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupgsource(unstable)(unfixed)medium834893
gnupgsourcejessie1.4.18-7+deb8u2mediumDSA-3649-1
gnupgsourcewheezy1.4.12-7+deb7u8mediumDLA-602-1
gnupg1source(unstable)1.4.21-1medium834894
gnupg2source(unstable)(not affected)
libgcrypt11source(unstable)(unfixed)medium
libgcrypt11sourcewheezy1.5.0-5+deb7u5mediumDLA-600-1
libgcrypt20source(unstable)1.7.3-1medium
libgcrypt20sourcejessie1.6.3-2+deb8u2mediumDSA-3650-1

Notes

- gnupg2 <not-affected> (Uses system libgcrypt)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e23eec8c9a602eee0a09851a54db0f5d611f125c
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c6dbfe89903d0c8191cf50ecf1abb3c8458b427a
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2f62103b4bb6d6f9ce806e01afb7fdc58aa33513 (1.7)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=8dd45ad957b54b939c288a68720137386c7f6501 (1.7)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=190b0429b70eb4a3573377e95755d9cc13c38461 (1.6)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=c748f87436d693f092a4484571a3cc7f650b5c81 (1.6)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=98980e2fd29ad62903c78fa6521489fce651cdda
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6199cd963d1fba86e0b7b9e2de4b6c00b945193a
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

Search for package or bug name: Reporting problems