Bug 18262

Summary: pgpdump new security issue CVE-2016-4021
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/685000/
Whiteboard: has_procedure mga5-64-ok advisory
Source RPM: pgpdump-0.29-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-04-25 19:42:00 CEST 
Upstream has released version 0.30 on April 13:
https://github.com/kazu-yamamoto/pgpdump/blob/master/CHANGES

It fixes a security issue:
https://github.com/kazu-yamamoto/pgpdump/pull/16

Mageia 5 is also affected.
David Walser 2016-04-25 19:42:28 CEST

URL: pgpdump-0.29-3.mga5.src.rpm => http://lwn.net/Vulnerabilities/685000/
CC: (none) => mageia
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-04-25 20:16:51 CEST 
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated pgpdump package fixes security vulnerability:

When pgpdump is run on specially crafted input, a denial of service condition occurs. The program runs with 100% CPU usage for an indefinite amount of time.
A remote attacker is able to create a specially crafted input that is leading
to CPU resource consumption resulting in denial of service (CVE-2016-4021).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4021
https://github.com/kazu-yamamoto/pgpdump/blob/master/CHANGES
========================

Updated packages in core/updates_testing:
========================
pgpdump-0.30-1.mga5

from pgpdump-0.30-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 2 claire robinson 2016-04-26 16:59:00 CEST 
Testing complete mga5  64

PoC http://seclists.org/bugtraq/2016/Apr/99

$ echo -en '\xa3\x03' | ./pgpdump
Old: Compressed Data Packet(tag 8)
        Comp alg - BZip2(comp 3)
[ ... endless loop ...]

It seems ours is immune..

$ echo -en '\xa3\x03' | pgpdump
Old: Compressed Data Packet(tag 8)
        Comp alg - BZip2(comp 3)
pgpdump: can't uncompress without zlib/bzip2.

Output is identical after update so it does no harm. 
Up to you if you still want to push it David.

Whiteboard: (none) => has_procedure mga5-64-ok

Comment 3 claire robinson 2016-04-26 16:59:59 CEST 
Perhaps missing a recommends.
Comment 4 Dave Hodgins 2016-04-28 20:10:47 CEST 
Advisory committed to svn. I'll go ahead and validate. The missing requires or
suggests for zlib/bzip2 can be looked at later.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-04-29 19:22:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0157.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED