Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 487230 (CVE-2013-4402)

Summary: <app-crypt/gnupg-{1.4.15,2.0.22}: Compressed Packet Parser Denial of Service Vulnerability (CVE-2013-4402)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/55071/
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 484836    

Description Agostino Sarubbo gentoo-dev 2013-10-07 19:07:48 UTC
From ${URL} :

Description

A vulnerability has been reported in GnuPG, which can be exploited by malicious people to cause a 
DoS (Denial of Service).

The vulnerability is caused due to the application not properly checking nested depth when parsing 
compressed packets. This can be exploited to cause an infinite recursion by sending specially 
crafted packets.

The vulnerability is reported in versions prior to 1.4.15 and 2.0.22.


Solution:
Update to version 1.4.15 or 2.0.22.

Provided and/or discovered by:
The vendor credits Taylor R. Campbell.

Original Advisory:
http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html
http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000334.html



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-07 19:21:16 UTC
app-crypt/gnupg-1.4.15, app-crypt/gnupg-2.0.22 in tree.

need stabilize dev-libs/libgpg-error-1.12 as well.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-10-08 03:32:37 UTC
Arches, please test and mark stable:       

=app-crypt/gnupg-1.4.15
=app-crypt/gnupg-2.0.22
                                                                                Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

=dev-libs/libgpg-error-1.12
Target keywords : "amd64 arm ppc sparc x86"
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-08 03:46:11 UTC
Correction to above, libgpg-error needs to have the same KEYWORDS as gnupg. Stable list should read:

=app-crypt/gnupg-1.4.15
=app-crypt/gnupg-2.0.22
=dev-libs/libgpg-error-1.12
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-08 13:48:21 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-08 19:26:09 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-10-09 05:42:48 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-11 14:06:44 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-11 14:07:10 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-11 14:07:38 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-11 14:08:03 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-12 18:16:28 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-12 18:16:45 UTC
ppc stable
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-15 10:34:35 UTC
This has been included on an existing GLSA draft.
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-22 17:10:56 UTC
crypto done
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:03:48 UTC
CVE-2013-4402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4402):
  GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to
  cause a denial of service (infinite recursion) via a crafted OpenPGP
  message.
Comment 16 Sergey Popov gentoo-dev 2013-11-28 08:11:16 UTC
+  28 Nov 2013; Sergey Popov <pinkbyte@gentoo.org> -gnupg-1.4.14.ebuild,
+  -gnupg-2.0.20.ebuild:
+  Security cleanup wrt bug #487230
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:34 UTC
This issue was resolved and addressed in
 GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml
by GLSA coordinator Chris Reffett (creffett).