Skip to navigation

Security Advisory Moderate: gnupg security update

Advisory: RHSA-2014:0016-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-01-08
Last updated on: 2014-01-08
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2013-4576

Details

An updated gnupg package that fixes one security issue is now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and
creating digital signatures, compliant with the proposed OpenPGP Internet
standard and the S/MIME standard.

It was found that GnuPG was vulnerable to side-channel attacks via acoustic
cryptanalysis. An attacker in close range to a target system that is
decrypting ciphertexts could possibly use this flaw to recover the RSA
secret key from that system. (CVE-2013-4576)

Red Hat would like to thank Werner Koch of GnuPG upstream for reporting
this issue. Upstream acknowledges Genkin, Shamir, and Tromer as the
original reporters.

All gnupg users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
gnupg-1.4.5-18.el5_10.1.src.rpm     MD5: cd5bbfafa7a6c61e88e64ddcf01e7af3
SHA-256: d678f473e911d90df4c6a52904e567ae8ba885292ba9ba4a884d24ae4aa23570
 
IA-32:
gnupg-1.4.5-18.el5_10.1.i386.rpm     MD5: 14be07843aa3a75866272b05a228837d
SHA-256: 068063c3594d6907014b54f711e92404e04bc00e071f82c1ee7b70c87c6e009b
gnupg-debuginfo-1.4.5-18.el5_10.1.i386.rpm     MD5: d695c8e19b983e77cf1f9bc09b0b1fb8
SHA-256: 3283e22f3888a86ba56616d5adc1f70fc9341ef18ca921a0a1a8b6033d683bfb
 
IA-64:
gnupg-1.4.5-18.el5_10.1.ia64.rpm     MD5: 2675af8d578a293e7baf80543d5e7ef5
SHA-256: cd2f7bb00c388d5e9a609cc1569f77c590cc79d7f4602294ac0aab4fdf53deb7
gnupg-debuginfo-1.4.5-18.el5_10.1.ia64.rpm     MD5: 30584ca01384d9b48b0d83b691857f75
SHA-256: 85f330f801fdb5b9658147fea41426b90881fc75b553e097d4b5ad33f2e07bbb
 
PPC:
gnupg-1.4.5-18.el5_10.1.ppc.rpm     MD5: b055fd5d47d5af45113053141794f678
SHA-256: 572e3d9d75786d2101d8d25d7a3e8787a1304e703e191ce51967c894a2c3f883
gnupg-debuginfo-1.4.5-18.el5_10.1.ppc.rpm     MD5: c8c3def91cdba9d03109d64350a16200
SHA-256: 11cf539166609383da0144705a8a398211d642105a09df591c3283383f00210c
 
s390x:
gnupg-1.4.5-18.el5_10.1.s390x.rpm     MD5: 51ba9257ec8bec4adc1bf585fbcc6ce7
SHA-256: 811f4917764fe437067ebf5a5b8594dd6b6eb259f63c5f588fdf7b0fe403092f
gnupg-debuginfo-1.4.5-18.el5_10.1.s390x.rpm     MD5: abec7ae1580e35268e7b945b7d1990d4
SHA-256: 4b7649be96f6de2b9ccda13988415d125c4fafbc943e6cbc4324f65c811917b5
 
x86_64:
gnupg-1.4.5-18.el5_10.1.x86_64.rpm     MD5: 0a3ed1990b361dae4f392369a58c7dfd
SHA-256: bf844dbda89609fc8f567ab98b83fbb5a679eec2d3a9a6040a1c5cc43d1f6944
gnupg-debuginfo-1.4.5-18.el5_10.1.x86_64.rpm     MD5: ee53eacced37b533ccd6b182bbeea5e7
SHA-256: d86b75c8c507d3475f176b302b2ec9c0909678c94fa4047582ade6f0466c85ce
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
gnupg-1.4.5-18.el5_10.1.src.rpm     MD5: cd5bbfafa7a6c61e88e64ddcf01e7af3
SHA-256: d678f473e911d90df4c6a52904e567ae8ba885292ba9ba4a884d24ae4aa23570
 
IA-32:
gnupg-1.4.5-18.el5_10.1.i386.rpm     MD5: 14be07843aa3a75866272b05a228837d
SHA-256: 068063c3594d6907014b54f711e92404e04bc00e071f82c1ee7b70c87c6e009b
gnupg-debuginfo-1.4.5-18.el5_10.1.i386.rpm     MD5: d695c8e19b983e77cf1f9bc09b0b1fb8
SHA-256: 3283e22f3888a86ba56616d5adc1f70fc9341ef18ca921a0a1a8b6033d683bfb
 
x86_64:
gnupg-1.4.5-18.el5_10.1.x86_64.rpm     MD5: 0a3ed1990b361dae4f392369a58c7dfd
SHA-256: bf844dbda89609fc8f567ab98b83fbb5a679eec2d3a9a6040a1c5cc43d1f6944
gnupg-debuginfo-1.4.5-18.el5_10.1.x86_64.rpm     MD5: ee53eacced37b533ccd6b182bbeea5e7
SHA-256: d86b75c8c507d3475f176b302b2ec9c0909678c94fa4047582ade6f0466c85ce
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1043327 - CVE-2013-4576 gnupg: RSA secret key recovery via acoustic cryptanalysis


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/