From owner-svn-ports-head@FreeBSD.ORG Wed Dec 18 15:22:59 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EE56CC5F; Wed, 18 Dec 2013 15:22:59 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C07B21733; Wed, 18 Dec 2013 15:22:59 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBIFMxfu048745; Wed, 18 Dec 2013 15:22:59 GMT (envelope-from kuriyama@svn.freebsd.org) Received: (from kuriyama@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBIFMx07048742; Wed, 18 Dec 2013 15:22:59 GMT (envelope-from kuriyama@svn.freebsd.org) Message-Id: <201312181522.rBIFMx07048742@svn.freebsd.org> From: Jun Kuriyama Date: Wed, 18 Dec 2013 15:22:59 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r336840 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Dec 2013 15:23:00 -0000 Author: kuriyama Date: Wed Dec 18 15:22:59 2013 New Revision: 336840 URL: http://svnweb.freebsd.org/changeset/ports/336840 Log: Add about gnupg-1.4.16. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Dec 18 15:14:55 2013 (r336839) +++ head/security/vuxml/vuln.xml Wed Dec 18 15:22:59 2013 (r336840) @@ -51,6 +51,51 @@ Note: Please add new entries to the beg --> + + gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack + + + gnupg + 1.4.16 + + + + +

Werner Koch reports:

+
CVE-2013-4576 has been assigned to this security bug.
+ +
The paper describes two attacks. The first attack allows +to distinguish keys: An attacker is able to notice which key is +currently used for decryption. This is in general not a problem but +may be used to reveal the information that a message, encrypted to a +commonly not used key, has been received by the targeted machine. We +do not have a software solution to mitigate this attack.
+ +
The second attack is more serious. It is an adaptive +chosen ciphertext attack to reveal the private key. A possible +scenario is that the attacker places a sensor (for example a standard +smartphone) in the vicinity of the targeted machine. That machine is +assumed to do unattended RSA decryption of received mails, for example +by using a mail client which speeds up browsing by opportunistically +decrypting mails expected to be read soon. While listening to the +acoustic emanations of the targeted machine, the smartphone will send +new encrypted messages to that machine and re-construct the private +key bit by bit. A 4096 bit RSA key used on a laptop can be revealed +within an hour.
+

+ + + + CVE-2013-4576 + http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html + + + 2013-12-18 + 2013-12-18 + + + asterisk -- multiple vulnerabilities