libgcrypt: security bump to version to version 1.7.3

Message ID	5d03002e20fce24f208b804c7f2d68c0955e325c.1471498983.git.baruch@tkos.co.il
State	Accepted
Commit	55c74d6b974cc7508e9855e8579ddd2115c80b2b
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Baruch Siach <baruch@tkos.co.il> To: buildroot@busybox.net Date: Thu, 18 Aug 2016 08:43:03 +0300 Message-Id: <5d03002e20fce24f208b804c7f2d68c0955e325c.1471498983.git.baruch@tkos.co.il> Subject: [Buildroot] [PATCH] libgcrypt: security bump to version to version 1.7.3 Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>

Message ID

5d03002e20fce24f208b804c7f2d68c0955e325c.1471498983.git.baruch@tkos.co.il

State

Accepted

Commit

55c74d6b974cc7508e9855e8579ddd2115c80b2b

Headers

From: Baruch Siach <baruch@tkos.co.il>
To: buildroot@busybox.net
Date: Thu, 18 Aug 2016 08:43:03 +0300
Message-Id: <5d03002e20fce24f208b804c7f2d68c0955e325c.1471498983.git.baruch@tkos.co.il>
Subject: [Buildroot] [PATCH] libgcrypt: security bump to version to version
	1.7.3
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Commit Message

Baruch Siach Aug. 18, 2016, 5:43 a.m. UTC

Fixes CVE-2016-6316: Bug in the mixing functions of Libgcrypt's random number
generator. An attacker who obtains 4640 bits from the RNG can trivially
predict the next 160 bits of output.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
 package/libgcrypt/libgcrypt.hash | 6 +++---
 package/libgcrypt/libgcrypt.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

Comments

Peter Korsgaard Aug. 18, 2016, 7:20 a.m. UTC | #1

>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:

 > Fixes CVE-2016-6316: Bug in the mixing functions of Libgcrypt's random number
 > generator. An attacker who obtains 4640 bits from the RNG can trivially
 > predict the next 160 bits of output.

Committed, thanks.

The announcement also talks about a new gnupg release. Will you also
send a bump to 1.4.21?

Baruch Siach Aug. 18, 2016, 7:40 a.m. UTC | #2

Hi Peter,

On Thu, Aug 18, 2016 at 09:20:27AM +0200, Peter Korsgaard wrote:
> >>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> 
>  > Fixes CVE-2016-6316: Bug in the mixing functions of Libgcrypt's random number
>  > generator. An attacker who obtains 4640 bits from the RNG can trivially
>  > predict the next 160 bits of output.
> 
> Committed, thanks.
> 
> The announcement also talks about a new gnupg release. Will you also
> send a bump to 1.4.21?

I missed that. Just sent a patch.

baruch

diff --git a/package/libgcrypt/libgcrypt.hash b/package/libgcrypt/libgcrypt.hash
index 63148d4a15b0..885f83172b67 100644
--- a/package/libgcrypt/libgcrypt.hash
+++ b/package/libgcrypt/libgcrypt.hash
@@ -1,4 +1,4 @@ 
-# From https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000392.html
-sha1 85a6a936bcab4c3c05f5efbf6ce847f23d35c0c4  libgcrypt-1.7.2.tar.bz2
+# From https://lists.gnu.org/archive/html/info-gnu/2016-08/msg00008.html
+sha1 5a034291e7248592605db448481478e6c963aa9c  libgcrypt-1.7.3.tar.bz2
 # Calculated based on the hash above
-sha256 3d35df906d6eab354504c05d749a9b021944cb29ff5f65c8ef9c3dd5f7b6689f  libgcrypt-1.7.2.tar.bz2
+sha256 ddac6111077d0a1612247587be238c5294dd0ee4d76dc7ba783cc55fb0337071  libgcrypt-1.7.3.tar.bz2
diff --git a/package/libgcrypt/libgcrypt.mk b/package/libgcrypt/libgcrypt.mk
index 5ee488dd8e34..31f4d6cdf375 100644
--- a/package/libgcrypt/libgcrypt.mk
+++ b/package/libgcrypt/libgcrypt.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBGCRYPT_VERSION = 1.7.2
+LIBGCRYPT_VERSION = 1.7.3
 LIBGCRYPT_SOURCE = libgcrypt-$(LIBGCRYPT_VERSION).tar.bz2
 LIBGCRYPT_LICENSE = LGPLv2.1+
 LIBGCRYPT_LICENSE_FILES = COPYING.LIB

libgcrypt: security bump to version to version 1.7.3

Commit Message

Comments

Patch