Debian 10225 Published by

The following updates has been released for Debian GNU/Linux 7 LTS:

[DLA 1015-1] libgcrypt11 security update
[DLA 1016-1] radare2 security update



[DLA 1015-1] libgcrypt11 security update

Package : libgcrypt11
Version : 1.5.0-5+deb7u6
CVE ID : CVE-2017-7526

It was discovered that there was a key disclosure vulnerability in libgcrypt11
a library of cryptographic routines:

It is well known that constant-time implementations of modular exponentiation
cannot use sliding windows. However, software libraries such as Libgcrypt,
used by GnuPG, continue to use sliding windows. It is widely believed that,
even if the complete pattern of squarings and multiplications is observed
through a side-channel attack, the number of exponent bits leaked is not
sufficient to carry out a full key-recovery attack against RSA.
Specifically, 4-bit sliding windows leak only 40% of the bits, and 5-bit
sliding windows leak only 33% of the bits.

-- Sliding right into disaster: Left-to-right sliding windows leak
https://eprint.iacr.org/2017/627

For Debian 7 "Wheezy", this issue has been fixed in libgcrypt11 version
1.5.0-5+deb7u6.

We recommend that you upgrade your libgcrypt11 packages.

[DLA 1016-1] radare2 security update

Package : radare2
Version : 0.9-3+deb7u3
CVE ID : CVE-2017-10929
Debian Bug : #867369

It was discovered that there was a heap-based buffer overflow in radare2, a
reverse-engineering framework. The grub_memmove function allowed attackers to
cause a remote denial of service.

For Debian 7 "Wheezy", this issue has been fixed in radare2 version
0.9-3+deb7u3.

We recommend that you upgrade your radare2 packages.