Bug 11416

Summary: gnupg/gnupg2: infinite recursion in compressed packet parser (CVE-2013-4402)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: oe, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570018/
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: gnupg CVE:
Status comment:
Bug Depends on: 11306    
Bug Blocks:    

Description David Walser 2013-10-09 15:57:32 CEST 
Upstream has released gnupg 1.4.15 and gnupg2 2.0.22 to fix a new security issue:
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00002.html

Reproducible: 

Steps to Reproduce:
David Walser 2013-10-09 15:57:42 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 Oden Eriksson 2013-10-09 17:46:48 CEST 
Fixed with gnupg2-2.0.18-1.4.mga2 and gnupg2-2.0.19-3.2.mga3. Fixed in cauldron with gnupg2-2.0.22-1.mga4.

CC: (none) => oe

Comment 2 Oden Eriksson 2013-10-09 17:47:51 CEST 
Fixed with gnupg-1.4.12-1.3.mga2, gnupg-1.4.14-1.1.mga3 and gnupg-1.4.15-1.mga4.
David Walser 2013-10-09 17:56:26 CEST

Depends on: (none) => 11306

Comment 3 David Walser 2013-10-09 17:59:02 CEST 
Thanks Oden!

We'll use this bug for the gnupg update and Bug 11306 for gnupg2 for QA.

Advisory:
========================

Updated gnupg package fixes security vulnerability:

Special crafted input data may be used to cause a denial of service against
GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages
ad infinitum (CVE-2013-4402).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.12-1.3.mga2
gnupg-1.4.14-1.1.mga3

from SRPMS:
gnupg-1.4.12-1.3.mga2.src.rpm
gnupg-1.4.14-1.1.mga3.src.rpm

CC: (none) => boklm
Assignee: boklm => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

claire robinson 2013-10-09 18:57:41 CEST

Summary: gnupg/gnupg2: infinite recursion in compressed packet parser (CVE-2013-4402) => gnupg: infinite recursion in compressed packet parser (CVE-2013-4402)

Comment 4 claire robinson 2013-10-09 18:58:33 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11306#c3

Whiteboard: MGA2TOO => MGA2TOO has_procedure

claire robinson 2013-10-09 18:58:41 CEST

Source RPM: gnupg, gnupg2 => gnupg

Comment 5 David Walser 2013-10-09 19:15:54 CEST 
Just noting that this issue does affect both gnupg and gnupg2 even though the bug title got changed.
Comment 6 claire robinson 2013-10-09 20:06:28 CEST 
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-64-ok

Comment 7 claire robinson 2013-10-09 20:22:09 CEST 
testing complete mga3 64

Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-64-ok

Comment 8 claire robinson 2013-10-09 20:31:21 CEST 
testing complete mga2 32

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok

Comment 9 claire robinson 2013-10-09 20:45:22 CEST 
testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 10 claire robinson 2013-10-09 20:59:06 CEST 
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Thomas Backlund 2013-10-10 00:57:06 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0303.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2013-10-10 18:08:21 CEST

URL: (none) => http://lwn.net/Vulnerabilities/570018/
Summary: gnupg: infinite recursion in compressed packet parser (CVE-2013-4402) => gnupg/gnupg2: infinite recursion in compressed packet parser (CVE-2013-4402)

Nicolas Vigier 2014-05-08 18:05:23 CEST

CC: boklm => (none)