Bug 15483

Summary: gnupg, gnupg2 new security issues CVE-2015-1606 and CVE-2015-1607
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: minor    
Priority: Normal CC: cooker, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/636681/
Whiteboard: has_procedure advisory MGA4-32-OK
Source RPM: gnupg, gnupg2 CVE:
Status comment:

Description David Walser 2015-03-13 15:23:45 CET 
The fuzzing project found some bugs in GnuPG and GnuPG2:
http://www.openwall.com/lists/oss-security/2015/02/13/14

The two NULL dereference issues were not assigned CVEs, the other two issues were:
http://www.openwall.com/lists/oss-security/2015/02/14/6

RedHat has said they don't plan to backport fixes for these to RHEL, and Debian has classified them as minor, no-DSA issues, even though one got mentioned in a DSA on March 12 for gnupg:
https://www.debian.org/security/2015/dsa-3184

These sound to be extremely low-severity issues.  I've checked in backported patches for all four issues in Mageia 4 SVN for gnupg and gnupg2.  They will be included in the next update, whenever that is.

The fixes are already in Cauldron, as it has the latest versions of gnupg and gnupg2.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-13 16:05:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/636681/

Comment 1 David Walser 2015-04-01 20:31:45 CEST 
LWN reference for CVE-2015-1607:
http://lwn.net/Vulnerabilities/638726/

Ubuntu has issued an advisory for this today (April 1):
http://www.ubuntu.com/usn/usn-2554-1/
Comment 2 Johnny A. Solbu 2015-04-12 09:27:39 CEST 
You should submit them to 4/updates testing then, as nobody is listed as maintainer.

CC: (none) => cooker

Comment 3 David Walser 2015-04-12 11:36:06 CEST 
No, these ones don't need their own build.  As I already said, these fixes are in SVN and will be included in the *next* update, whenever there's a more important issue to fix.
Comment 4 David Walser 2015-09-02 17:52:16 CEST 
Submitting this update now to get it in before Mageia 4 EOL.

Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=15441#c2

Advisory:
========================

Updated gnupg and gnupg2 packages fix security vulnerabilities:

Hanno Böck discovered that GnuPG incorrectly handled certain malformed
keyrings. If a user or automated system were tricked into opening a
malformed keyring, a remote attacker could use this issue to cause GnuPG to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2015-1606, CVE-2015-1607).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607
http://www.ubuntu.com/usn/usn-2554-1/
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.16-1.3.mga4
gnupg2-2.0.22-3.2.mga4

from SRPMS:
gnupg-1.4.16-1.3.mga4.src.rpm
gnupg2-2.0.22-3.2.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 5 David Walser 2015-09-08 22:00:08 CEST 
Testing complete Mageia 4 i586 using the procedure.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 6 claire robinson 2015-09-13 22:13:11 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-09-13 23:59:24 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0359.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED