Bug 13590 - gnupg/gnupg2 new security issue CVE-2014-4617
Summary: gnupg/gnupg2 new security issue CVE-2014-4617
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/603513/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-24 16:45 CEST by David Walser
Modified: 2014-06-27 17:26 CEST (History)
2 users (show)

See Also:
Source RPM: gnupg, gnupg2
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-06-24 16:45:34 CEST 
A CVE was allocated for a possible DoS issue fixed upstream:
http://openwall.com/lists/oss-security/2014/06/24/14

I've fixed this in Cauldron by upgrading to 1.4.17 and 2.0.24, so we just need to backport the patches to Mageia 3 and Mageia 4.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-24 16:45:39 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-06-24 18:21:11 CEST 
Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated gnupg and gnupg2 packages fix security vulnerability:

GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial of service
which can be caused by garbled compressed data packets which may put gpg into
an infinite loop (CVE-2014-4617).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000345.html
http://openwall.com/lists/oss-security/2014/06/24/14
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.14-1.3.mga3
gnupg2-2.0.19-3.3.mga3
gnupg-1.4.16-1.1.mga4
gnupg2-2.0.22-3.1.mga4

from SRPMS:
gnupg-1.4.14-1.3.mga3.src.rpm
gnupg2-2.0.19-3.3.mga3.src.rpm
gnupg-1.4.16-1.1.mga4.src.rpm
gnupg2-2.0.22-3.1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2014-06-24 18:22:45 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=11306#c3

Use the "gpg" command to test gnupg.  Replace "gpg" with "gpg2" to test gnupg2.

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 David Walser 2014-06-24 18:39:41 CEST 
The PoC is mentioned in the openwall link, but I figured out how to make it work.

If you create a 4-byte file:
echo -n "food" > foo.gpg

Edit that file with hexedit, and change the contents to A3 01 5B FF:
hexedit foo.gpg
A3 01 5B FF
(Ctrl-X to save and exit)

Then try to decrypt that file:
gpg -d -r username foo.gpg
gpg2 -d -r username foo.gpg

both commands will go into an infinite loop printing garbage to the console.

With the update, it should immediately exit.
Comment 4 claire robinson 2014-06-25 17:34:22 CEST 
Testing complete mga3 32

Thanks for the testcase David

Before
------
$ gpg -d -r username foo.gpg 
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
...etc
������������������������������������������������������������������������������������������������������������������������������������������^C
gpg: Interrupt caught ... exiting

killed with ctrl-c. gpg2 the same.

After
-----
$ gpg -d -r username foo.gpg 
$ gpg2 -d -r username foo.gpg 

No errors
claire robinson 2014-06-25 17:34:30 CEST

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok

Comment 5 claire robinson 2014-06-25 17:56:16 CEST 
Testing complete mga4 64

Before
------
$ gpg -d -r username foo.gpg 
gpg: fatal: zlib inflate problem: invalid distance code
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

$ gpg2 -d -r username foo.gpg 
gpg: Fatal: zlib inflate problem: invalid distance code

Doesn't appear vulnerable, at least as a DoS.

After
-----
$ gpg -d -r username foo.gpg 
gpg: fatal: zlib inflate problem: invalid distance code
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

$ gpg2 -d -r username foo.gpg 
gpg: Fatal: zlib inflate problem: invalid distance code


Confirmed it works as expected otherwise.

Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 6 claire robinson 2014-06-25 18:08:11 CEST 
Testing complete mga3 64

This gives the same results as mga4 64 in comment 5

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 7 claire robinson 2014-06-25 18:12:01 CEST 
Testing complete mga4 32

This too gives the same results

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

David Walser 2014-06-25 18:32:39 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603513/

Comment 8 claire robinson 2014-06-25 19:19:39 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2014-06-27 17:26:29 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0276.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.