Bug 15483 - gnupg, gnupg2 new security issues CVE-2015-1606 and CVE-2015-1607
Summary: gnupg, gnupg2 new security issues CVE-2015-1606 and CVE-2015-1607
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal minor
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/636681/
Whiteboard: has_procedure advisory MGA4-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-13 15:23 CET by David Walser
Modified: 2015-09-13 23:59 CEST (History)
2 users (show)

See Also:
Source RPM: gnupg, gnupg2
CVE:
Status comment:


Attachments

Description David Walser 2015-03-13 15:23:45 CET
The fuzzing project found some bugs in GnuPG and GnuPG2:
http://www.openwall.com/lists/oss-security/2015/02/13/14

The two NULL dereference issues were not assigned CVEs, the other two issues were:
http://www.openwall.com/lists/oss-security/2015/02/14/6

RedHat has said they don't plan to backport fixes for these to RHEL, and Debian has classified them as minor, no-DSA issues, even though one got mentioned in a DSA on March 12 for gnupg:
https://www.debian.org/security/2015/dsa-3184

These sound to be extremely low-severity issues.  I've checked in backported patches for all four issues in Mageia 4 SVN for gnupg and gnupg2.  They will be included in the next update, whenever that is.

The fixes are already in Cauldron, as it has the latest versions of gnupg and gnupg2.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-13 16:05:10 CET

URL: (none) => http://lwn.net/Vulnerabilities/636681/

Comment 1 David Walser 2015-04-01 20:31:45 CEST
LWN reference for CVE-2015-1607:
http://lwn.net/Vulnerabilities/638726/

Ubuntu has issued an advisory for this today (April 1):
http://www.ubuntu.com/usn/usn-2554-1/
Comment 2 Johnny A. Solbu 2015-04-12 09:27:39 CEST
You should submit them to 4/updates testing then, as nobody is listed as maintainer.

CC: (none) => cooker

Comment 3 David Walser 2015-04-12 11:36:06 CEST
No, these ones don't need their own build.  As I already said, these fixes are in SVN and will be included in the *next* update, whenever there's a more important issue to fix.
Comment 4 David Walser 2015-09-02 17:52:16 CEST
Submitting this update now to get it in before Mageia 4 EOL.

Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=15441#c2

Advisory:
========================

Updated gnupg and gnupg2 packages fix security vulnerabilities:

Hanno Böck discovered that GnuPG incorrectly handled certain malformed
keyrings. If a user or automated system were tricked into opening a
malformed keyring, a remote attacker could use this issue to cause GnuPG to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2015-1606, CVE-2015-1607).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607
http://www.ubuntu.com/usn/usn-2554-1/
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.16-1.3.mga4
gnupg2-2.0.22-3.2.mga4

from SRPMS:
gnupg-1.4.16-1.3.mga4.src.rpm
gnupg2-2.0.22-3.2.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 5 David Walser 2015-09-08 22:00:08 CEST
Testing complete Mageia 4 i586 using the procedure.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 6 claire robinson 2015-09-13 22:13:11 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-09-13 23:59:24 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0359.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.