CVE-2013-4242

Publication date 29 July 2013

Last updated 24 July 2024

Ubuntu priority

Description

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
gnupg	13.04 raring	Fixed 1.4.12-7ubuntu1.1
	12.10 quantal	Fixed 1.4.11-3ubuntu4.2
	12.04 LTS precise	Fixed 1.4.11-3ubuntu2.3
	10.04 LTS lucid	Fixed 1.4.10-2ubuntu1.3
libgcrypt11	13.04 raring	Fixed 1.5.0-3ubuntu2.2
	12.10 quantal	Fixed 1.5.0-3ubuntu1.1
	12.04 LTS precise	Fixed 1.5.0-3ubuntu0.2
	10.04 LTS lucid	Fixed 1.4.4-5ubuntu2.2

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg	Vendor: http://www.debian.org/security/2013/dsa-2730 Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=35646689f4b80955ff7dbe1687bf2c479c53421e
libgcrypt11	Vendor: http://www.debian.org/security/2013/dsa-2731 Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=287bf0e543f244d784cf8b58340bf0ab3c6aba97

References

Related Ubuntu Security Notices (USN)

USN-1923-1
GnuPG, Libgcrypt vulnerability
1 August 2013