Upstream has released gnupg 1.4.15 and gnupg2 2.0.22 to fix a new security issue: http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00002.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Fixed with gnupg2-2.0.18-1.4.mga2 and gnupg2-2.0.19-3.2.mga3. Fixed in cauldron with gnupg2-2.0.22-1.mga4.
CC: (none) => oe
Fixed with gnupg-1.4.12-1.3.mga2, gnupg-1.4.14-1.1.mga3 and gnupg-1.4.15-1.mga4.
Depends on: (none) => 11306
Thanks Oden! We'll use this bug for the gnupg update and Bug 11306 for gnupg2 for QA. Advisory: ======================== Updated gnupg package fixes security vulnerability: Special crafted input data may be used to cause a denial of service against GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages ad infinitum (CVE-2013-4402). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402 http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.12-1.3.mga2 gnupg-1.4.14-1.1.mga3 from SRPMS: gnupg-1.4.12-1.3.mga2.src.rpm gnupg-1.4.14-1.1.mga3.src.rpm
CC: (none) => boklmAssignee: boklm => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Summary: gnupg/gnupg2: infinite recursion in compressed packet parser (CVE-2013-4402) => gnupg: infinite recursion in compressed packet parser (CVE-2013-4402)
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11306#c3
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Source RPM: gnupg, gnupg2 => gnupg
Just noting that this issue does affect both gnupg and gnupg2 even though the bug title got changed.
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-64-ok
testing complete mga3 64
Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-64-ok
testing complete mga2 32
Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok
testing complete mga3 32
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0303.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/570018/Summary: gnupg: infinite recursion in compressed packet parser (CVE-2013-4402) => gnupg/gnupg2: infinite recursion in compressed packet parser (CVE-2013-4402)
CC: boklm => (none)