[pkg-gnupg-maint] Bug#822826: gpg: Insecure default cipher for --symmetric
Piotr Chmielnicki
piotr at chmielnicki.com
Thu Apr 28 07:03:59 UTC 2016
control: reassign -1 gnupg 1.4.18-7+deb8u1
On 04/28/2016 08:47 AM, Mattia Rizzolo wrote:
> control: reassign -1 gnupg
>
> On Wed, Apr 27, 2016 at 10:26:34PM +0200, Piotr Chmielnicki wrote:
>> Package: gpg
> the package name is 'gnupg', not 'gpg'.
Sorry.
>> Version: gnupg
> and what kind of version is this, anyway?
>
> I'm reassigning to the right package, without any version, since you
> coulnd't provide one (since you use stable, according to the footer, I'd
> guess 1.4.18-7+deb8u1, but I'm not going to guess).
Correct. BTW my gnupg2 version is 2.0.26-6.
> Note: no need to CC me on the replies on this bug, I'm merely
> reassigning a misfiled bug that I haven't even read.
>
>> Severity: normal
>> Tags: security
>>
>> Hello,
>>
>> The default cipher in gpg and gpg2 for symmetric encryption is CAST-5. CAST-5
>> block size is 64 bits and the cipher is used in CFB mode. CFB mode in
>> vulnerable to a practical attack when the size of the ciphertext is close to
>> sqrt(block_size). In the case of CAST-5 as well as for Blowfish and 3DES it
>> happens when the message more than ~ 1 Go long.
>>
>> The problem has been solved upstream and in sid but not in jessie.
>>
>> The following commits are available in the Git repository of GnuPG:
>>
>> * fc30a414d8d6586207444356ec270bd3fe0f6e68 for gpg;
>> * 57df1121c18b004dd763b35eabf7b51fc9e8ec38 for gpg2.
>>
>> Have a nice day.
>>
>> Piotr Chmielnicki
>>
>>
>>
>> -- System Information:
>> Debian Release: 8.4
>> APT prefers stable-updates
>> APT policy: (500, 'stable-updates'), (500, 'stable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>> Init: systemd (via /run/systemd/system)
More information about the pkg-gnupg-maint
mailing list