CVE-2014-5270

Publication date 18 August 2014

Last updated 24 July 2024

Ubuntu priority

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg	14.04 LTS trusty	Not affected
	12.04 LTS precise	Fixed 1.4.11-3ubuntu2.7
	10.04 LTS lucid	Fixed 1.4.10-2ubuntu1.7
libgcrypt11	14.04 LTS trusty	Fixed 1.5.3-2ubuntu4.1
	12.04 LTS precise	Fixed 1.5.0-3ubuntu0.3
	10.04 LTS lucid	Fixed 1.4.4-5ubuntu2.3
libgcrypt20	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=cad8216f9a0b33c9dc84ecc4f385b00045e7b496
libgcrypt11	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6c3598f1f6a6f2548b60a31ce3c0dd9885558a4f Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=62e8e1283268f1d3b6d0cfb2fc4e7835bbcdaab6

References

Related Ubuntu Security Notices (USN)

USN-2339-1
GnuPG vulnerability
3 September 2014

USN-2339-2
Libgcrypt vulnerability
3 September 2014

USN-2554-1
GnuPG vulnerabilities
1 April 2015

CVE-2014-5270

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references