|Summary:||app-crypt/gnupg buffer overflow|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B1 [glsa] DerCorny|
|Package list:||Runtime testing required:||---|
Description Sune Kloppenborg Jeppesen 2006-07-31 00:58:58 UTC
Text from Security Focus: http://www.securityfocus.com/bid/19110/ GnuPG is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. This issue may allow remote attackers to execute arbitrary machine code in the context of the affected application, but this has not been confirmed. GnuPG version 1.4.4 is vulnerable to this issue; previous versions may also be affected. The following Perl command demonstrates this issue by crashing the affected application: perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| /var/gnupg/bin/gpg --no-armor http://lists.immunitysec.com/pipermail/dailydave/2006-July/003354.html
Comment 1 Wolf Giesen (RETIRED) 2006-07-31 03:03:16 UTC
Actually, 1.9.20-r3 is stable on almost all arches; I also remember we dropped the last "--no-armor" vulnerability (#137622), but impact is high this time and might thus call for masking.
Comment 2 Daniel Black (RETIRED) 2006-07-31 17:48:29 UTC
Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until full release before stabilising. It shouldn't be that long and big ugly "THIS IS A DEVELOPMENT VERSION!" warnings will put people off. $ gpg --version gpg (GnuPG) 1.4.5rc1-ecc0.1.6 $ perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: using character set `iso-8859-1' gpg: packet(61) too large
Comment 3 Stefan Cornelius (RETIRED) 2006-08-01 10:51:45 UTC
(In reply to comment #2) > Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until > full release before stabilising. It shouldn't be that long and big ugly "THIS > IS A DEVELOPMENT VERSION!" warnings will put people off. Indeed, 1.4.5 has been released. Please do your magic again, thanks
Comment 4 Daniel Black (RETIRED) 2006-08-01 14:13:25 UTC
1.4.5 magic done.
Comment 5 Andrej Kacian (RETIRED) 2006-08-01 15:43:45 UTC
x86 stable, the mentioned perl command doesn't crash it, and the common functionality checks out OK.
Comment 6 Markus Rothe (RETIRED) 2006-08-01 23:14:49 UTC
Comment 7 Thierry Carrez (RETIRED) 2006-08-02 06:24:29 UTC
This could be considered B1 since feeding emails to gpg is somewhat automated.
Comment 8 Raphael Marichez (Falco) (RETIRED) 2006-08-02 06:52:18 UTC
(In reply to comment #7) > This could be considered B1 since feeding emails to gpg is somewhat automated. > i agree
Comment 9 Gustavo Zacarias (RETIRED) 2006-08-02 07:05:10 UTC
Comment 10 Thomas Cort (RETIRED) 2006-08-02 07:33:33 UTC
Comment 11 Sune Kloppenborg Jeppesen 2006-08-02 08:45:27 UTC
Rerating according to comment #7 and #8.
Comment 12 Tobias Scherbaum (RETIRED) 2006-08-02 09:02:13 UTC
Comment 13 René Nussbaumer (RETIRED) 2006-08-04 05:45:07 UTC
Stable on hppa. Sorry for the delay.
Comment 14 Mike Doty (RETIRED) 2006-08-04 06:19:53 UTC
Comment 15 Sune Kloppenborg Jeppesen 2006-08-05 04:51:03 UTC
GLSA 200608-08 arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA.
Comment 16 Peter Volkov (RETIRED) 2008-03-06 09:39:28 UTC
Does not affect current (2008.0) release. Removing release.