GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526

Bug #1785176 reported by Elegie on 2018-08-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnupg (Ubuntu)

Bug Description

According to the information at the GnuPG Web site (, GnuPG 1.4.23 was released on 2018-06-11 "to address the critical security bug CVE-2017-7526."

In addition, according to the information on the GnuPG news page ( GnuPG 1.4.22 was released on 2017-07-19 "to address the recently published local side channel attack CVE-2017-7526."

On the same page, it is mentioned that GnuPG 1.4.21 was released around 2016-08-17 to address the issue in CVE-2016-6313. (Note that the CVE id in the message is not correct)

The changelog for the gnupg package version 1.4.20-1ubuntu3.2 mentions fixes for CVE-2018-12020 and CVE-2016-6313. There is no mention of CVE-2017-7526.

Your attention to this issue is appreciated.

CVE References

Alex Murray (alexmurray) on 2018-08-03
information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

Thank you for your attention to detail. CVE-2017-7526 was fixed in USN-3347-1 and -2 by patching the libgcrypt20 and libgcrypt11 source packages:

You can track our work per-cve on and similar pages, which will show the source packages that may be affected by any given CVE.


Alex Murray (alexmurray) wrote :

Thanks for reporting this - FYI you can see the status of each CVE via the CVE tracker


This CVE was triaged against libgrypt only - not against gnupg1 - and all the upstream CVE trackers only seem to reference this CVE against libgcrypt. I can see the mention of CVE-2017-7526 on their homepage for GnuPG 1.4.23, however looking at the changes for 1.4.23 I can see no commits that appear relevant to this CVE:;a=shortlog;h=refs/heads/STABLE-BRANCH-1-4

However, if we look at the changes that went into 1.4.22 then there are a bunch of changes which look analogous to the ones for libgrypt for CVE-2017-7526:;a=commit;h=b38f4489f75e6e435886aa885807738a22c7ff60;a=commit;h=12029f83fd0ab3e8ad524f6c9135854662fddfd1;a=commit;h=554ded4854758bf6ca268432fa087f946932a409;a=commit;h=8fd9f72e1b2e578e45c98c978cab4f6d47683d2c

Also I can't see any release annoucements for 1.4.22 or 1.4.23 in gnupg-announce either which is unfortunate.

I will retriage this against gnupg1 as well and this will be fixed soon.

Alex Murray (alexmurray) wrote :
Changed in gnupg (Ubuntu):
status: New → Fix Released
Changed in gnupg (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers