A CVE was allocated for a possible DoS issue fixed upstream: http://openwall.com/lists/oss-security/2014/06/24/14 I've fixed this in Cauldron by upgrading to 1.4.17 and 2.0.24, so we just need to backport the patches to Mageia 3 and Mageia 4. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated gnupg and gnupg2 packages fix security vulnerability: GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial of service which can be caused by garbled compressed data packets which may put gpg into an infinite loop (CVE-2014-4617). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617 http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html http://openwall.com/lists/oss-security/2014/06/24/14 ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.14-1.3.mga3 gnupg2-2.0.19-3.3.mga3 gnupg-1.4.16-1.1.mga4 gnupg2-2.0.22-3.1.mga4 from SRPMS: gnupg-1.4.14-1.3.mga3.src.rpm gnupg2-2.0.19-3.3.mga3.src.rpm gnupg-1.4.16-1.1.mga4.src.rpm gnupg2-2.0.22-3.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 Use the "gpg" command to test gnupg. Replace "gpg" with "gpg2" to test gnupg2.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
The PoC is mentioned in the openwall link, but I figured out how to make it work. If you create a 4-byte file: echo -n "food" > foo.gpg Edit that file with hexedit, and change the contents to A3 01 5B FF: hexedit foo.gpg A3 01 5B FF (Ctrl-X to save and exit) Then try to decrypt that file: gpg -d -r username foo.gpg gpg2 -d -r username foo.gpg both commands will go into an infinite loop printing garbage to the console. With the update, it should immediately exit.
Testing complete mga3 32 Thanks for the testcase David Before ------ $ gpg -d -r username foo.gpg ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ ...etc ������������������������������������������������������������������������������������������������������������������������������������������^C gpg: Interrupt caught ... exiting killed with ctrl-c. gpg2 the same. After ----- $ gpg -d -r username foo.gpg $ gpg2 -d -r username foo.gpg No errors
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok
Testing complete mga4 64 Before ------ $ gpg -d -r username foo.gpg gpg: fatal: zlib inflate problem: invalid distance code secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 $ gpg2 -d -r username foo.gpg gpg: Fatal: zlib inflate problem: invalid distance code Doesn't appear vulnerable, at least as a DoS. After ----- $ gpg -d -r username foo.gpg gpg: fatal: zlib inflate problem: invalid distance code secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 $ gpg2 -d -r username foo.gpg gpg: Fatal: zlib inflate problem: invalid distance code Confirmed it works as expected otherwise.
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Testing complete mga3 64 This gives the same results as mga4 64 in comment 5
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32 This too gives the same results
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
URL: (none) => http://lwn.net/Vulnerabilities/603513/
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0276.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED