Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487230 (CVE-2013-4402) - <app-crypt/gnupg-{1.4.15,2.0.22}: Compressed Packet Parser Denial of Service Vulnerability (CVE-2013-4402)
Summary: <app-crypt/gnupg-{1.4.15,2.0.22}: Compressed Packet Parser Denial of Service ...
Status: RESOLVED FIXED
Alias: CVE-2013-4402
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55071/
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2013-4351
  Show dependency tree
 
Reported: 2013-10-07 19:07 UTC by Agostino Sarubbo
Modified: 2014-02-21 16:08 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-07 19:07:48 UTC
From ${URL} :

Description

A vulnerability has been reported in GnuPG, which can be exploited by malicious people to cause a 
DoS (Denial of Service).

The vulnerability is caused due to the application not properly checking nested depth when parsing 
compressed packets. This can be exploited to cause an infinite recursion by sending specially 
crafted packets.

The vulnerability is reported in versions prior to 1.4.15 and 2.0.22.


Solution:
Update to version 1.4.15 or 2.0.22.

Provided and/or discovered by:
The vendor credits Taylor R. Campbell.

Original Advisory:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html
http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000334.html



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-07 19:21:16 UTC
app-crypt/gnupg-1.4.15, app-crypt/gnupg-2.0.22 in tree.

need stabilize dev-libs/libgpg-error-1.12 as well.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-10-08 03:32:37 UTC
Arches, please test and mark stable:       

=app-crypt/gnupg-1.4.15
=app-crypt/gnupg-2.0.22
                                                                                Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

=dev-libs/libgpg-error-1.12
Target keywords : "amd64 arm ppc sparc x86"
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-08 03:46:11 UTC
Correction to above, libgpg-error needs to have the same KEYWORDS as gnupg. Stable list should read:

=app-crypt/gnupg-1.4.15
=app-crypt/gnupg-2.0.22
=dev-libs/libgpg-error-1.12
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-08 13:48:21 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-08 19:26:09 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-10-09 05:42:48 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-11 14:06:44 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-11 14:07:10 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-11 14:07:38 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-11 14:08:03 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-12 18:16:28 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-12 18:16:45 UTC
ppc stable
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-15 10:34:35 UTC
This has been included on an existing GLSA draft.
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-22 17:10:56 UTC
crypto done
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:03:48 UTC
CVE-2013-4402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4402):
  GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to
  cause a denial of service (infinite recursion) via a crafted OpenPGP
  message.
Comment 16 Sergey Popov gentoo-dev 2013-11-28 08:11:16 UTC
+  28 Nov 2013; Sergey Popov <pinkbyte@gentoo.org> -gnupg-1.4.14.ebuild,
+  -gnupg-2.0.20.ebuild:
+  Security cleanup wrt bug #487230
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:34 UTC
This issue was resolved and addressed in
 GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml
by GLSA coordinator Chris Reffett (creffett).