Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 214990

Summary: app-crypt/gnupg =1.4.8, =2.0.8 Memory corruption when importing keys (CVE-2008-1530)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: crypto+disabled, hanno
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 23:43:32 UTC
From announcement:
  We are pleased to announce the availability of a new stable GnuPG-1
  release: Version 1.4.9.  This is a maintenance release to fix a possible
  vulnerability introduced with 1.4.8.

This bug is also present in 2.0.8 and was fixed with 2.0.9. Both 1.4.8 and 2.0.8 are ~arch only, so please do not move them to stable. A bump for ~arch would be required.

Upstream bug:

g10 ChangeLog:
2008-03-25  David Shaw  <>  (wk)

        * import.c (collapse_uids): Fix bug 894: possible memory
        corruption around deduplication of user IDs.

Andrea Barisani

Patch in trunk:
svn diff -r4712:4713 svn://
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 00:41:12 UTC
oCERT Advisory:
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2008-03-27 10:52:09 UTC
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 20:26:29 UTC
Thanks, no GLSA for ~arch packages.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 22:31:06 UTC
*** Bug 215782 has been marked as a duplicate of this bug. ***