Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 214990

Summary: app-crypt/gnupg =1.4.8, =2.0.8 Memory corruption when importing keys (CVE-2008-1530)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: crypto+disabled, hanno
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.gnupg.org/pipermail/gnupg-announce/2008q1/000272.html
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 23:43:32 UTC 
From announcement:
  We are pleased to announce the availability of a new stable GnuPG-1
  release: Version 1.4.9.  This is a maintenance release to fix a possible
  vulnerability introduced with 1.4.8.

This bug is also present in 2.0.8 and was fixed with 2.0.9. Both 1.4.8 and 2.0.8 are ~arch only, so please do not move them to stable. A bump for ~arch would be required.


Upstream bug:
https://bugs.g10code.com/gnupg/issue894

g10 ChangeLog:
2008-03-25  David Shaw  <dshaw@jabberwocky.com>  (wk)

        * import.c (collapse_uids): Fix bug 894: possible memory
        corruption around deduplication of user IDs.

Credits:
Andrea Barisani

Patch in trunk:
svn diff -r4712:4713 svn://cvs.gnupg.org/gnupg/trunk/g10/import.c
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 00:41:12 UTC 
oCERT Advisory: 
http://www.ocert.org/advisories/ocert-2008-1.html
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2008-03-27 10:52:09 UTC 
Added.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 20:26:29 UTC 
Thanks, no GLSA for ~arch packages.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 22:31:06 UTC 
*** Bug 215782 has been marked as a duplicate of this bug. ***