Bug 11416 - gnupg/gnupg2: infinite recursion in compressed packet parser (CVE-2013-4402)
: gnupg/gnupg2: infinite recursion in compressed packet parser (CVE-2013-4402)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/570018/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
: 11306
:
  Show dependency treegraph
 
Reported: 2013-10-09 15:57 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: gnupg
CVE:
Status comment:


Attachments

Description David Walser 2013-10-09 15:57:32 CEST
Upstream has released gnupg 1.4.15 and gnupg2 2.0.22 to fix a new security issue:
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00002.html

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-10-09 17:46:48 CEST
Fixed with gnupg2-2.0.18-1.4.mga2 and gnupg2-2.0.19-3.2.mga3. Fixed in cauldron with gnupg2-2.0.22-1.mga4.
Comment 2 Oden Eriksson 2013-10-09 17:47:51 CEST
Fixed with gnupg-1.4.12-1.3.mga2, gnupg-1.4.14-1.1.mga3 and gnupg-1.4.15-1.mga4.
Comment 3 David Walser 2013-10-09 17:59:02 CEST
Thanks Oden!

We'll use this bug for the gnupg update and Bug 11306 for gnupg2 for QA.

Advisory:
========================

Updated gnupg package fixes security vulnerability:

Special crafted input data may be used to cause a denial of service against
GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages
ad infinitum (CVE-2013-4402).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402
http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.12-1.3.mga2
gnupg-1.4.14-1.1.mga3

from SRPMS:
gnupg-1.4.12-1.3.mga2.src.rpm
gnupg-1.4.14-1.1.mga3.src.rpm
Comment 4 claire robinson 2013-10-09 18:58:33 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11306#c3
Comment 5 David Walser 2013-10-09 19:15:54 CEST
Just noting that this issue does affect both gnupg and gnupg2 even though the bug title got changed.
Comment 6 claire robinson 2013-10-09 20:06:28 CEST
Testing complete mga2 64
Comment 7 claire robinson 2013-10-09 20:22:09 CEST
testing complete mga3 64
Comment 8 claire robinson 2013-10-09 20:31:21 CEST
testing complete mga2 32
Comment 9 claire robinson 2013-10-09 20:45:22 CEST
testing complete mga3 32
Comment 10 claire robinson 2013-10-09 20:59:06 CEST
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 11 Thomas Backlund 2013-10-10 00:57:06 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0303.html

Note You need to log in before you can comment on or make changes to this bug.