Summary: | <app-crypt/gnupg-{1.4.15,2.0.22}: Compressed Packet Parser Denial of Service Vulnerability (CVE-2013-4402) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/55071/ | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 484836 |
Description
Agostino Sarubbo
2013-10-07 19:07:48 UTC
app-crypt/gnupg-1.4.15, app-crypt/gnupg-2.0.22 in tree. need stabilize dev-libs/libgpg-error-1.12 as well. Arches, please test and mark stable: =app-crypt/gnupg-1.4.15 =app-crypt/gnupg-2.0.22 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" =dev-libs/libgpg-error-1.12 Target keywords : "amd64 arm ppc sparc x86" Correction to above, libgpg-error needs to have the same KEYWORDS as gnupg. Stable list should read: =app-crypt/gnupg-1.4.15 =app-crypt/gnupg-2.0.22 =dev-libs/libgpg-error-1.12 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable alpha stable ia64 stable ppc64 stable sparc stable arm stable ppc stable This has been included on an existing GLSA draft. crypto done CVE-2013-4402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4402): GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. + 28 Nov 2013; Sergey Popov <pinkbyte@gentoo.org> -gnupg-1.4.14.ebuild, + -gnupg-2.0.20.ebuild: + Security cleanup wrt bug #487230 This issue was resolved and addressed in GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml by GLSA coordinator Chris Reffett (creffett). |