The fuzzing project found some bugs in GnuPG and GnuPG2: http://www.openwall.com/lists/oss-security/2015/02/13/14 The two NULL dereference issues were not assigned CVEs, the other two issues were: http://www.openwall.com/lists/oss-security/2015/02/14/6 RedHat has said they don't plan to backport fixes for these to RHEL, and Debian has classified them as minor, no-DSA issues, even though one got mentioned in a DSA on March 12 for gnupg: https://www.debian.org/security/2015/dsa-3184 These sound to be extremely low-severity issues. I've checked in backported patches for all four issues in Mageia 4 SVN for gnupg and gnupg2. They will be included in the next update, whenever that is. The fixes are already in Cauldron, as it has the latest versions of gnupg and gnupg2. Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/636681/
LWN reference for CVE-2015-1607: http://lwn.net/Vulnerabilities/638726/ Ubuntu has issued an advisory for this today (April 1): http://www.ubuntu.com/usn/usn-2554-1/
You should submit them to 4/updates testing then, as nobody is listed as maintainer.
CC: (none) => cooker
No, these ones don't need their own build. As I already said, these fixes are in SVN and will be included in the *next* update, whenever there's a more important issue to fix.
Submitting this update now to get it in before Mageia 4 EOL. Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=15441#c2 Advisory: ======================== Updated gnupg and gnupg2 packages fix security vulnerabilities: Hanno Böck discovered that GnuPG incorrectly handled certain malformed keyrings. If a user or automated system were tricked into opening a malformed keyring, a remote attacker could use this issue to cause GnuPG to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1606, CVE-2015-1607). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607 http://www.ubuntu.com/usn/usn-2554-1/ ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.16-1.3.mga4 gnupg2-2.0.22-3.2.mga4 from SRPMS: gnupg-1.4.16-1.3.mga4.src.rpm gnupg2-2.0.22-3.2.mga4.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
Testing complete Mageia 4 i586 using the procedure.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0359.html
Status: NEW => RESOLVEDResolution: (none) => FIXED