Information disclosure in Gnupg

CVE-2013-4242

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

Vulnerability class: Information Disclosure

EPSS: 0.001 (26.2th percentile) — read the EPSS interpretation.

Affected products

Gnupg — versions 0.0.0, 0.2.15, 0.2.16
Gnupg Libgcrypt — versions 1.4.0, 1.4.3, 1.4.4
Canonical Ubuntu_linux — versions 10.04, 12.04, 12.10
Debian Debian_linux — versions 6.0, 7.0
Opensuse — versions 12.2, 12.3
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

secalert@redhat.com (x_refsource_CONFIRM)
DSA-2731 (vendor-advisory, x_refsource_DEBIAN)
54332 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
54321 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
54375 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
openSUSE-SU-2013:1294 (vendor-advisory, x_refsource_SUSE, Vendor Advisory)
61464 (vdb-entry, x_refsource_BID)
USN-1923-1 (x_refsource_UBUNTU, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_MISC)
[gnupg-announce] 20130725 [Announce] [security fix] GnuPG 1.4.14 released (mailing-list, x_refsource_MLIST)