[Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Wed Jul 5 21:39:26 CEST 2017

On 07/05/2017 04:13 PM, Bernhard Reiter wrote:
> Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
>> On Tue,  4 Jul 2017 12:05, johanw at vulcan.xs4all.nl said:
>>> Is 1.4 vulnerable to this attack as well? I know it ows not use
>>> libgcrypt but I'm not sure about the vulnerability.
>> Maybe.  And probably also to a lot of other local side channel attacks.
> In general I think it would be useful to have information available that
> shows which versions of GnuPG and libgcrypt are exposed to this or other
> weaknesses and what the consequences are.
> People now know which that there are versions
> with this vulnerability and without it.
> My concept so far:
> not vulnerable:
>   libgcrypt 1.7.8
>   libgcrypt 1.8 -beta since commit
>     Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
>     8725c99ffa41778f382ca97233183bcd687bb0ce
> vulnerable

Caveat: I have only looked at the code of the oldest and newest
versions.  Remember that old versions may not even have 64-bit support,
so they run on different CPU architectures.  But the code is essentially
the same as the vulnerable code in libgcrypt 1.7.7 for these:

>   libgcrypt v<=?

Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
is the oldest I could find).

>   GnuPG v1.?

Probably all versions from 1.0.4 up to 1.4.21.  (I could not find 1.0.3,
which according to the NEWS file is the first version with RSA support).

I made a backport of the patch for GPG 1.4.21 here:


I have also found a paper that indicates that the exponent blinding
defense is not as solid as one might think naively, and in which the
author indicates that OpenSSL defended against these kind of attacks
conclusively in 0.9.8f (Oct 2007). I have only glanced over the claims,
but it's certainly intriguing:

Schindler, W.: Exclusive Exponent Blinding May Not Suffice
to Prevent Timing Attacks on RSA (2015), Bundesamt für Sicherheit in der

Preprint available at https://eprint.iacr.org/2014/869.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170705/7b13b067/attachment.sig>

More information about the Gnupg-users mailing list