Details of a vulnerability fixed upstream have been released today (July 31): http://openwall.com/lists/oss-security/2014/07/31/5 The issue is fixed in version 1.5.1, just uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated gpgme packages fix security vulnerability: A heap-based buffer overflow in gpgme before 1.5.1 could allow a specially crafted certificate to cause crashes or potentially cause arbitrary code execution (CVE-2014-3564). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3564 https://bugzilla.redhat.com/show_bug.cgi?id=1113267 ======================== Updated packages in core/updates_testing: ======================== libgpgme11-1.3.2-2.1.mga3 libgpgme-devel-1.3.2-2.1.mga3 libgpgme11-1.4.3-2.1.mga4 libgpgme-devel-1.4.3-2.1.mga4 from SRPMS: gpgme-1.3.2-2.1.mga3.src.rpm gpgme-1.4.3-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
No PoC as far as I can tell, we should just test for obvious regressions.
CC: (none) => remi
I can't for the life of me reproduce this bug as outlined here through Kmail: https://bugzilla.redhat.com/show_bug.cgi?id=1113267 Installed: - lib64gpgme11-1.4.3-2.1.mga4.x86_64 - lib64gpgme-devel-1.4.3-2.1.mga4.x86_64 But overall, no regression in x86_64 version.
CC: (none) => markkuehnWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Ubuntu has issued an advisory for this today (August 6): http://www.ubuntu.com/usn/usn-2307-1/
URL: (none) => http://lwn.net/Vulnerabilities/607793/
IMO if gpg agent works okay in signing/encrypting mail with your mail client, then gpgme ought to be okay.
Testing complete mga3 32 using python-gpgme (urpmq --whatrequires libgpgme11) Found a basic script here: http://stackoverflow.com/questions/9257450/how-to-sign-a-file-and-then-verify Assuming you've previously created gpg keys. $ cat gpgmetest.py import gpgme from io import BytesIO ctx = gpgme.Context() plain = BytesIO("Hello") sign = BytesIO("") ctx.sign(plain, sign, gpgme.SIG_MODE_CLEAR) print sign.getvalue() $ python gpgmetest.py -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBAgAGBQJT9MJYAAoJEAwPe11O4nSymR8H/jFazvLQoPyY9ruCYVS6oJvE ...etc LrPFAAqlwYPPt93/i4+KtWlQkgSUqGtcsNw9gjbJep/d8t6Gc8CfhS7eedFNghw= =Jm9S -----END PGP SIGNATURE-----
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK
Checked patches applied with rpmdiff in madb. Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0340.html
Status: NEW => RESOLVEDResolution: (none) => FIXED