From ${URL} : Description A vulnerability has been reported in GnuPG, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the application not properly checking nested depth when parsing compressed packets. This can be exploited to cause an infinite recursion by sending specially crafted packets. The vulnerability is reported in versions prior to 1.4.15 and 2.0.22. Solution: Update to version 1.4.15 or 2.0.22. Provided and/or discovered by: The vendor credits Taylor R. Campbell. Original Advisory: http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000334.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
app-crypt/gnupg-1.4.15, app-crypt/gnupg-2.0.22 in tree. need stabilize dev-libs/libgpg-error-1.12 as well.
Arches, please test and mark stable: =app-crypt/gnupg-1.4.15 =app-crypt/gnupg-2.0.22 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" =dev-libs/libgpg-error-1.12 Target keywords : "amd64 arm ppc sparc x86"
Correction to above, libgpg-error needs to have the same KEYWORDS as gnupg. Stable list should read: =app-crypt/gnupg-1.4.15 =app-crypt/gnupg-2.0.22 =dev-libs/libgpg-error-1.12 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
ia64 stable
ppc64 stable
sparc stable
arm stable
ppc stable
This has been included on an existing GLSA draft.
crypto done
CVE-2013-4402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4402): GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.
+ 28 Nov 2013; Sergey Popov <pinkbyte@gentoo.org> -gnupg-1.4.14.ebuild, + -gnupg-2.0.20.ebuild: + Security cleanup wrt bug #487230
This issue was resolved and addressed in GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml by GLSA coordinator Chris Reffett (creffett).