Bug 18518

Summary: pgpdump new buffer overrun issue fixed in 0.31
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/689717/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: pgpdump-0.30-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-23 20:20:38 CEST 
Upstream has released version 0.31 on May 9, fixing a potential security issue:
https://github.com/kazu-yamamoto/pgpdump/blob/master/CHANGES

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated pgpdump package fixes security vulnerability:

The pgpdump package has been updated to version 0.31, fixing a buffer overrun.

References:
https://github.com/kazu-yamamoto/pgpdump/blob/master/CHANGES
========================

Updated packages in core/updates_testing:
========================
pgpdump-0.31-1.mga5

from pgpdump-0.31-1.mga5.src.rpm
Comment 1 David Walser 2016-05-23 20:21:30 CEST 
You can retry Claire's test from the last update:
https://bugs.mageia.org/show_bug.cgi?id=18262#c2

Whiteboard: (none) => has_procedure

Comment 2 Lewis Smith 2016-05-28 21:14:33 CEST 
Testing M5 x64

Before the update, the test referred to in Comment 1 (thanks David):
$ echo -en '\xa3\x03' | pgpdump
Old: Compressed Data Packet(tag 8)
	Comp alg - BZip2(comp 3)
pgpdump: can't uncompress without zlib/bzip2.

After the update to: pgpdump-0.31-1.mga5
$ echo -en '\xa3\x03' | pgpdump
Old: Compressed Data Packet(tag 8)
	Comp alg - BZip2(comp 3)
pgpdump: can't uncompress without zlib/bzip2.

Identical output, so OKing this update.

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 claire robinson 2016-06-02 23:21:30 CEST 
Validating. Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-06-02 23:41:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0212.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-06-03 20:36:49 CEST

URL: http://lwn.net/Vulnerabilities/685000/ => http://lwn.net/Vulnerabilities/689717/