Summary: | <app-crypt/gnupg-{1.4.18,2.0.25}: Avoid infinite loop in uncompressing garbled packets (CVE-2014-4617) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alonbl, crypto+disabled, hanno |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.gnupg.org/pipermail/gnupg-users/2014-June/050026.html | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-06-23 17:32:28 UTC
Added gnupg-1.4.17 into tree. I suggest to wait few days for 2.x version. We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.24. (In reply to Kristian Fiskerstrand from comment #2) > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.24. thanks! in tree. Thanks alon, It builds cleanly and functionally for me on amd64, however giving the latest version it a little time to reach the GnuPG FTP mirrors specified in SRC_URI before starting a STABLEREQ. It is currently only available on the main FTP server. Arches, please stabilize: =app-crypt/gnupg-1.4.17 =app-crypt/gnupg-2.0.24 Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Please abort stabilization, an issue has been raised in the gnupg-users list and new versions will be released CVE-2014-4617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4617): The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. "Wer(sic) are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.25. This release fixes a regression introduced with the 2.0.24 release." Added. What about gnupg-1.x? (In reply to Alon Bar-Lev from comment #9) > Added. What about gnupg-1.x? 1.4.18 is already tagged in the git repo and should be released soon. (In reply to Kristian Fiskerstrand from comment #10) > (In reply to Alon Bar-Lev from comment #9) > > Added. What about gnupg-1.x? > > 1.4.18 is already tagged in the git repo and should be released soon. We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.18. This release fixes a regression introduced with the 1.4.17 release. Added, thanks! Arches, please stabilize: =app-crypt/gnupg-1.4.18 =app-crypt/gnupg-2.0.25 Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 The previous summary was correct for the security fix. However it introduced a usability issue hence stopping stabilization of those versions. Stable for HPPA. I stabilized =app-crypt/gnupg-2.0.25 on amd64. The 1.4 branch still remains to be done. amd64 done x86 stable alpha stable ppc stable ppc64 stable ia64 stable arm stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Thanks. New GLSA request filed arm64 stable for gnupg-2 only. This issue was resolved and addressed in GLSA 201407-04 at http://security.gentoo.org/glsa/glsa-201407-04.xml by GLSA coordinator Mikle Kolyada (Zlogene). |