534002 – dev-libs/libgcrypt: two vulnerabilities

Bug 534002 - dev-libs/libgcrypt: two vulnerabilities

Summary: dev-libs/libgcrypt: two vulnerabilities

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	A3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-12-30 09:56 UTC by Agostino Sarubbo
Modified:	2016-12-01 22:31 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-12-30 09:56:40 UTC

From ${URL} :

I found multiple vulnerabilities in libgcrypt. Could I get some CVE-ID's
for them?

--
Double free of 'hd':
http://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003300.html

off-by-one out-of-bounds read:
http://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev

2014-12-30 10:06:49 UTC

Are you sure you want to apply these before it reached to upstream master[1]?

[1] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=shortlog;h=refs/heads/master

Comment 2 Agostino Sarubbo gentoo-dev

2014-12-30 11:09:09 UTC

(In reply to Alon Bar-Lev from comment #1)
> Are you sure you want to apply these before it reached to upstream master[1]?
> 
> [1]
> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=shortlog;h=refs/
> heads/master

No. Infact the whiteboard tag is upstream which means there is no fix from upstream.

reference: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap4

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-01 17:12:33 UTC

@ Security: I am suggesting to close this bug as invalid:

CVE requests were rejected, see http://www.openwall.com/lists/oss-security/2014/12/29/10

I only could find https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=1c6d2698a84e4bf82735287c1d64954bfc1a1982 which *could* be what Joshua Rogers tried to report however there's no link between the commit and patch and notice the time between the report and the commit (and don't forget Florian Weimer comment in the CVE rejection on Joshua's patch).

The second one was also not accepted, see https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=mpi/mpiutil.c#l738 which Joshua Rogers wanted to change according to https://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2016-12-01 22:31:20 UTC

(In reply to Thomas Deutschmann from comment #3)
> @ Security: I am suggesting to close this bug as invalid:
> 
> CVE requests were rejected, see
> http://www.openwall.com/lists/oss-security/2014/12/29/10
> 
> I only could find
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;
> h=1c6d2698a84e4bf82735287c1d64954bfc1a1982 which *could* be what Joshua
> Rogers tried to report however there's no link between the commit and patch
> and notice the time between the report and the commit (and don't forget
> Florian Weimer comment in the CVE rejection on Joshua's patch).
> 
> The second one was also not accepted, see
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=mpi/
> mpiutil.c#l738 which Joshua Rogers wanted to change according to
> https://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html

Agreed.  Thank you for the research.