Text from Security Focus: http://www.securityfocus.com/bid/19110/ GnuPG is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. This issue may allow remote attackers to execute arbitrary machine code in the context of the affected application, but this has not been confirmed. GnuPG version 1.4.4 is vulnerable to this issue; previous versions may also be affected. The following Perl command demonstrates this issue by crashing the affected application: perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| /var/gnupg/bin/gpg --no-armor http://lists.immunitysec.com/pipermail/dailydave/2006-July/003354.html
Actually, 1.9.20-r3 is stable on almost all arches; I also remember we dropped the last "--no-armor" vulnerability (#137622), but impact is high this time and might thus call for masking.
Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until full release before stabilising. It shouldn't be that long and big ugly "THIS IS A DEVELOPMENT VERSION!" warnings will put people off. $ gpg --version gpg (GnuPG) 1.4.5rc1-ecc0.1.6 $ perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: using character set `iso-8859-1' gpg: packet(61) too large
(In reply to comment #2) > Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until > full release before stabilising. It shouldn't be that long and big ugly "THIS > IS A DEVELOPMENT VERSION!" warnings will put people off. Indeed, 1.4.5 has been released. Please do your magic again, thanks
1.4.5 magic done.
x86 stable, the mentioned perl command doesn't crash it, and the common functionality checks out OK.
ppc64 stable
This could be considered B1 since feeding emails to gpg is somewhat automated.
(In reply to comment #7) > This could be considered B1 since feeding emails to gpg is somewhat automated. > i agree
sparc stable.
alpha stable.
Rerating according to comment #7 and #8.
ppc stable
Stable on hppa. Sorry for the delay.
amd64 stable
GLSA 200608-08 arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA.
Does not affect current (2008.0) release. Removing release.