Main Vulnerability Database SB2014082102

SB2014082102 - Information disclosure in libgcrypt (Alpine package)

Published: August 21, 2014

Security Bulletin ID SB2014082102

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2014-5270)

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=dca967dba133304c05d02e621aefb8790ce37135
https://git.alpinelinux.org/aports/commit/?id=8ed8bf5e79c29b662ee26b6ba0895c891101f1d4
https://git.alpinelinux.org/aports/commit/?id=8009421a6bb2d34a9b42b9b96110a7ad454db783