CVE-2014-3591

Publication date 31 December 2014

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg	14.10 utopic	Fixed 1.4.16-1.2ubuntu1.2
	14.04 LTS trusty	Fixed 1.4.16-1ubuntu2.3
	12.04 LTS precise	Fixed 1.4.11-3ubuntu2.9
	10.04 LTS lucid	Fixed 1.4.10-2ubuntu1.8
libgcrypt11	14.10 utopic	Fixed 1.5.4-2ubuntu1.1
	14.04 LTS trusty	Fixed 1.5.3-2ubuntu4.2
	12.04 LTS precise	Fixed 1.5.0-3ubuntu0.4
	10.04 LTS lucid	Fixed 1.4.4-5ubuntu2.4
libgcrypt20	14.10 utopic	Fixed 1.6.1-2ubuntu1.14.10.1
	14.04 LTS trusty	Fixed 1.6.1-2ubuntu1.14.04.1
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b
libgcrypt11	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=35cd81f134c0da4e7e6fcfe40d270ee1251f52c2
libgcrypt20	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d482948ac41768c36c5352a513fca8c50d2da4db

Severity score breakdown

Parameter	Value
Base score	4.2 · Medium
Attack vector	Physical
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2014-3591

Cvss 3 Severity Score

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references