A vulnerability in Libgcrypt could allow a local attacker to recover sensitive information.
|Package||dev-libs/libgcrypt on all architectures|
|Affected versions||< 1.8.5|
|Unaffected versions||>= 1.8.5|
Libgcrypt is a general purpose cryptographic library derived out of GnuPG.
A timing attack was found in the way ECCDSA was implemented in Libgcrypt.
A local man-in-the-middle attacker, during signature generation, could possibly recover the private key.
There is no known workaround at this time.
All Libgcrypt users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.8.5"
March 15, 2020
March 15, 2020: 1