CVE-2016-6313

MEDIUM

Libgcrypt <1.5.6, 1.6.x <1.6.6, 1.7.x <1.7.3 - Info Disclosure

Title source: llm

Description

The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.

References (11)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-2674.html

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3649

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3650

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/92527

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036635

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3064-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-3065-1

[Various Sources] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS

[Mailing List, Vendor Advisory] https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

[Third Party Advisory] https://security.gentoo.org/glsa/201610-04

[Third Party Advisory] https://security.gentoo.org/glsa/201612-01

Scores

CVSS v3 5.3

EPSS 0.0318

EPSS Percentile 86.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (16)

gnupg/libgcrypt < 1.5.3

gnupg/libgcrypt

gnupg/libgcrypt

gnupg/libgcrypt

gnupg/libgcrypt

gnupg/libgcrypt

gnupg/libgcrypt

gnupg/libgcrypt

gnupg/libgcrypt

gnupg/libgcrypt

debian/debian_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

gnupg/gnupg < 1.4.14

... and 1 more

Timeline

Published Dec 13, 2016

Tracked Since Feb 18, 2026