[pkg-gnupg-maint] Bug#882985: gcrypt: libgcrypt should use all memory pools for all secure allocations

Amul Shah Amul.Shah at fisglobal.com
Tue Nov 28 11:08:59 UTC 2017 

Package: libgcrypt20
Source: gnupg2
Version: 1.7.9-1
Severity: normal
File: gcrypt

Dear Maintainer,

As reported in the gnupg mailing list (thread links below), the
gpg-agent failed to decrypt secret keys for client applications when a
large number of concurrent requests were made.

libgcrypt takes care to manage secure memory. It allocates pools of
memory in SECMEM_BUFFER_SIZE size chunks. The first of these pools is
mlock()ed to prevent swapping. Certain secure memory allocation only
use memory from this first pool. If this first pool is full, libgcrypt
reported an ENOMEM error up to the caller.

In the case of the gpg-agent, it failed to decrypt private keys when it
received a large number of concurrent key decryption requests. These
decryption failures resulted in intermittment to short periods of
persistent failures in calling applications.

libgcrypt 1.8.1 contains the needed fixes and is compatile with GnuPG
2.1. Specific changes also need to be back ported to GnuPG 2.1 to take
advantage of these options. These changes are trivial to backport.

Mailing list threads:
https://lists.gnupg.org/pipermail/gnupg-devel/2017-June/032937.html
https://lists.gnupg.org/pipermail/gnupg-devel/2017-November/033280.html


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgcrypt20:amd64 depends on:
ii  libc6          2.24-17
ii  libgpg-error0  1.27-3

libgcrypt20:amd64 recommends no packages.

Versions of packages libgcrypt20:amd64 suggests:
pn  rng-tools  <none>

-- no debconf information
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

More information about the pkg-gnupg-maint mailing list