libgcrypt: Multiple vulnerabilities — GLSA 201610-04

Multiple vulnerabilities have been fixed in libgcrypt,the worst of which results in predictable output from the random number generator.

Affected packages

dev-libs/libgcrypt on all architectures
Affected versions < 1.7.3
Unaffected versions >= 1.7.3

Background

libgcrypt is a general purpose cryptographic library derived out of GnuPG.

Description

Multiple vulnerabilities have been discovered in libgcrypt. Please review the CVE identifiers referenced below for details.

Impact

Side-channel attacks can leak private key information. A separate critical bug allows an attacker who obtains 4640 bits from the RNG to trivially predict the next 160 bits of output.

Workaround

There is no known workaround at this time.

Resolution

All libgcrypt users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.7.3"
 

References

Release date
October 10, 2016

Latest revision
October 10, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries