製品・ソフトウェアに関する情報

JVN脆弱性詳細

Libgcrypt および GnuPG の乱数発生器のミキシング機能における 160 ビットの値を取得される脆弱性

Title	Libgcrypt および GnuPG の乱数発生器のミキシング機能における 160 ビットの値を取得される脆弱性
Summary	Libgcrypt および GnuPG の乱数発生器のミキシング機能には、160 ビットの値を取得される脆弱性が存在します。
Possible impacts	攻撃者により、以前の 4640 ビットの情報を利用されることで、160 ビットの値を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 17, 2016, midnight
Registration Date	Dec. 26, 2016, 5:12 p.m.
Last Update	Dec. 26, 2016, 5:12 p.m.

Affected System

GNU Project

GnuPG 1.4.21 未満

Libgcrypt 1.5.6 未満

Libgcrypt 1.6.6 未満の 1.6.x

Libgcrypt 1.7.3 未満の 1.7.x

Debian

Debian GNU/Linux 8.0

Canonical

Ubuntu 12.04 LTS

Ubuntu 14.04 LTS

Ubuntu 16.04 LTS

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-6313	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
National Vulnerability Database (NVD)
2	CVE-2016-6313	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6313

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3649	https://www.debian.org/security/2016/dsa-3649
2	DSA-3650	https://www.debian.org/security/2016/dsa-3650
GNU Privacy Guard
3	Noteworthy changes in version 1.7.3 (2016-08-17)	https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=NEWS
GnuPG Announce
4	[Announce] Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]	https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
Ubuntu Security Notice
5	USN-3064-1	https://www.ubuntu.com/usn/USN-3064-1/
6	USN-3065-1	https://www.ubuntu.com/usn/USN-3065-1/

Change Log

No	Changed Details	Date of change
0	[2016年12月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-6313

Summary	The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
Publication Date	Dec. 14, 2016, 5:59 a.m.
Registration Date	Jan. 26, 2021, 2:15 p.m.
Last Update	Nov. 21, 2024, 11:55 a.m.

Affected software configurations

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::

Configuration4		or higher	or less	more than	less than
cpe:2.3:a:gnupg:gnupg::::::::			1.4.14

Related information, measures and tools

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2016-2674.html
2	http://rhn.redhat.com/errata/RHSA-2016-2674.html
3	http://www.debian.org/security/2016/dsa-3649	Third Party Advisory
4	http://www.debian.org/security/2016/dsa-3649	Third Party Advisory
5	http://www.debian.org/security/2016/dsa-3650	Third Party Advisory
6	http://www.debian.org/security/2016/dsa-3650	Third Party Advisory
7	http://www.securityfocus.com/bid/92527	Third Party Advisory VDB Entry
8	http://www.securityfocus.com/bid/92527	Third Party Advisory VDB Entry
9	http://www.securitytracker.com/id/1036635
10	http://www.securitytracker.com/id/1036635
11	http://www.ubuntu.com/usn/USN-3064-1	Third Party Advisory
12	http://www.ubuntu.com/usn/USN-3064-1	Third Party Advisory
13	http://www.ubuntu.com/usn/USN-3065-1	Third Party Advisory
14	http://www.ubuntu.com/usn/USN-3065-1	Third Party Advisory
15	https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS
16	https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS
17	https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html	Mailing List Vendor Advisory
18	https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html	Mailing List Vendor Advisory
19	https://security.gentoo.org/glsa/201610-04
20	https://security.gentoo.org/glsa/201610-04
21	https://security.gentoo.org/glsa/201612-01
22	https://security.gentoo.org/glsa/201612-01

Common Vulnerabilities List