| Name | CVE-2016-6313 |
| Description | The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-600-1, DLA-602-1, DSA-3649-1, DSA-3650-1 |
| Debian Bugs | 834893, 834894 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| gnupg (PTS) | jessie, jessie (lts) | 1.4.18-7+deb8u5 | fixed |
| gnupg1 (PTS) | stretch (security), stretch (lts), stretch | 1.4.21-4+deb9u1 | fixed |
| buster | 1.4.23-1 | fixed | |
| bullseye, bookworm | 1.4.23-1.1 | fixed | |
| sid, trixie | 1.4.23-2 | fixed | |
| gnupg2 (PTS) | jessie, jessie (lts) | 2.0.26-6+deb8u3 | fixed |
| stretch (security) | 2.1.18-8~deb9u2 | fixed | |
| stretch (lts), stretch | 2.1.18-8~deb9u5 | fixed | |
| buster (security), buster, buster (lts) | 2.2.12-1+deb10u2 | fixed | |
| bullseye (security), bullseye | 2.2.27-2+deb11u2 | fixed | |
| bookworm | 2.2.40-1.1 | fixed | |
| sid, trixie | 2.2.45-2 | fixed | |
| libgcrypt20 (PTS) | jessie, jessie (lts) | 1.6.3-2+deb8u9 | fixed |
| stretch (security), stretch (lts), stretch | 1.7.6-2+deb9u4 | fixed | |
| buster | 1.8.4-5+deb10u1 | fixed | |
| bullseye | 1.8.7-6 | fixed | |
| bookworm | 1.10.1-3 | fixed | |
| sid, trixie | 1.11.0-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| gnupg | source | wheezy | 1.4.12-7+deb7u8 | DLA-602-1 | ||
| gnupg | source | jessie | 1.4.18-7+deb8u2 | DSA-3649-1 | ||
| gnupg | source | (unstable) | (unfixed) | 834893 | ||
| gnupg1 | source | (unstable) | 1.4.21-1 | 834894 | ||
| gnupg2 | source | (unstable) | (not affected) | |||
| libgcrypt11 | source | wheezy | 1.5.0-5+deb7u5 | DLA-600-1 | ||
| libgcrypt11 | source | (unstable) | (unfixed) | |||
| libgcrypt20 | source | jessie | 1.6.3-2+deb8u2 | DSA-3650-1 | ||
| libgcrypt20 | source | (unstable) | 1.7.3-1 |
- gnupg2 <not-affected> (Uses system libgcrypt)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e23eec8c9a602eee0a09851a54db0f5d611f125c
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c6dbfe89903d0c8191cf50ecf1abb3c8458b427a
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2f62103b4bb6d6f9ce806e01afb7fdc58aa33513 (1.7)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=8dd45ad957b54b939c288a68720137386c7f6501 (1.7)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=190b0429b70eb4a3573377e95755d9cc13c38461 (1.6)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=c748f87436d693f092a4484571a3cc7f650b5c81 (1.6)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=98980e2fd29ad62903c78fa6521489fce651cdda
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6199cd963d1fba86e0b7b9e2de4b6c00b945193a
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html