Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270
Reference (s):
- DEBIAN:DSA-3024
- URL: http://www.debian.org/security/2014/dsa-3024
- DEBIAN:DSA-3073
- URL: http://www.debian.org/security/2014/dsa-3073
- http://www.cs.tau.ac.il/~tromer/handsoff/