[pkg-gnupg-maint] Bug#822826: gpg: Insecure default cipher for --symmetric

Mattia Rizzolo mattia at debian.org
Thu Apr 28 06:47:01 UTC 2016 

control: reassign -1 gnupg

On Wed, Apr 27, 2016 at 10:26:34PM +0200, Piotr Chmielnicki wrote:
> Package: gpg

the package name is 'gnupg', not 'gpg'.

> Version: gnupg

and what kind of version is this, anyway?

I'm reassigning to the right package, without any version, since you
coulnd't provide one (since you use stable, according to the footer, I'd
guess 1.4.18-7+deb8u1, but I'm not going to guess).

Note: no need to CC me on the replies on this bug, I'm merely
reassigning a misfiled bug that I haven't even read.

> Severity: normal
> Tags: security
> 
> Hello,
> 
> The default cipher in gpg and gpg2 for symmetric encryption is CAST-5. CAST-5
> block size is 64 bits and the cipher is used in CFB mode. CFB mode in
> vulnerable to a practical attack when the size of the ciphertext is close to
> sqrt(block_size). In the case of CAST-5 as well as for Blowfish and 3DES it
> happens when the message more than ~ 1 Go long.
> 
> The problem has been solved upstream and in sid but not in jessie.
> 
> The following commits are available in the Git repository of GnuPG:
> 
> * fc30a414d8d6586207444356ec270bd3fe0f6e68 for gpg;
> * 57df1121c18b004dd763b35eabf7b51fc9e8ec38 for gpg2.
> 
> Have a nice day.
> 
> Piotr Chmielnicki
> 
> 
> 
> -- System Information:
> Debian Release: 8.4
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160428/b4f3b791/attachment.sig>

More information about the pkg-gnupg-maint mailing list