Upstream has released version 0.30 on April 13: https://github.com/kazu-yamamoto/pgpdump/blob/master/CHANGES It fixes a security issue: https://github.com/kazu-yamamoto/pgpdump/pull/16 Mageia 5 is also affected.
URL: pgpdump-0.29-3.mga5.src.rpm => http://lwn.net/Vulnerabilities/685000/CC: (none) => mageiaWhiteboard: (none) => MGA5TOO
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated pgpdump package fixes security vulnerability: When pgpdump is run on specially crafted input, a denial of service condition occurs. The program runs with 100% CPU usage for an indefinite amount of time. A remote attacker is able to create a specially crafted input that is leading to CPU resource consumption resulting in denial of service (CVE-2016-4021). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4021 https://github.com/kazu-yamamoto/pgpdump/blob/master/CHANGES ======================== Updated packages in core/updates_testing: ======================== pgpdump-0.30-1.mga5 from pgpdump-0.30-1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO => (none)
Testing complete mga5 64 PoC http://seclists.org/bugtraq/2016/Apr/99 $ echo -en '\xa3\x03' | ./pgpdump Old: Compressed Data Packet(tag 8) Comp alg - BZip2(comp 3) [ ... endless loop ...] It seems ours is immune.. $ echo -en '\xa3\x03' | pgpdump Old: Compressed Data Packet(tag 8) Comp alg - BZip2(comp 3) pgpdump: can't uncompress without zlib/bzip2. Output is identical after update so it does no harm. Up to you if you still want to push it David.
Whiteboard: (none) => has_procedure mga5-64-ok
Perhaps missing a recommends.
Advisory committed to svn. I'll go ahead and validate. The missing requires or suggests for zlib/bzip2 can be looked at later.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0157.html
Status: NEW => RESOLVEDResolution: (none) => FIXED