CVE-2017-9526

NameCVE-2017-9526
DescriptionIn Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3880-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgcrypt11 (PTS)wheezy1.5.0-5+deb7u4fixed
wheezy (security)1.5.0-5+deb7u6fixed
libgcrypt20 (PTS)jessie (security), jessie1.6.3-2+deb8u4fixed
stretch (security), stretch1.7.6-2+deb9u1fixed
buster, sid1.7.8-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgcrypt11source(unstable)(not affected)
libgcrypt20source(unstable)1.7.6-2medium
libgcrypt20sourcejessie1.6.3-2+deb8u3mediumDSA-3880-1

Notes

- libgcrypt11 <not-affected> (Curve Ed25519 signing and verification introduced in 1.6.0)
master: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b
1.7.x: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56
Curve Ed25519 signing and verification inplemented in 1.6.0 with
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=bc5199a02abe428ad377443280b3eda60141a1d6
and following refactorings.

Search for package or bug name: Reporting problems