CVE-2019-12904 and the next libgcrypt release.

Haswarey, Asif asif.haswarey at intel.com
Wed Jun 26 20:13:03 CEST 2019


Hi Werner, Andreas!

I was wondering if the vulnerability has been determined to be
legitimate and if we will see a new release with this vulnerability
addressed?
If so, I am look to understand a timeline, so that I can address
this issue with our Clear Linux libgcrypt package release schedule.

Thanks very much, and I really appreciate any feedback/help!
_
Asif

On 2019-06-23 Werner Koch via Gcrypt-devel <gcrypt-devel at gnupg.org> wrote:
> On Fri, 21 Jun 2019 20:08, gcrypt-devel at gnupg.org said:
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904

> See https://dev.gnupg.org/T4541 where I commented:

>  Andreas, I wonder on which grounds you assigned a CVE for this claimed
>  side-channel attack. The mentioned paper is about an old RSA
>  side-channel and not on AES.  I would like to see more facts than the
>  reference to a guy who "knows PPC pretty well".

Hello Werner,

I did not assign (or request) the CVE, I just did a little bit of
housekeeping, adding a pointer to the CVE number in the bug report. ;-)

cu Andreas

-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: Sunday, June 23, 2019 8:50 AM
To: Haswarey, Asif via Gcrypt-devel <gcrypt-devel at gnupg.org>
Cc: Haswarey, Asif <asif.haswarey at intel.com>; ametzler at debian.org
Subject: Re: CVE-2019-12904 and the next libgcrypt release.

On Fri, 21 Jun 2019 20:08, gcrypt-devel at gnupg.org said:

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12904

See https://dev.gnupg.org/T4541 where I commented:

 Andreas, I wonder on which grounds you assigned a CVE for this claimed  side-channel attack. The mentioned paper is about an old RSA  side-channel and not on AES.  I would like to see more facts than the  reference to a guy who "knows PPC pretty well".


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



More information about the Gcrypt-devel mailing list