Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 514718 (CVE-2014-4617)

Summary: <app-crypt/gnupg-{1.4.18,2.0.25}: Avoid infinite loop in uncompressing garbled packets (CVE-2014-4617)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled, hanno
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.gnupg.org/pipermail/gnupg-users/2014-June/050026.html
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-23 17:32:28 UTC
A security issue has been fixed in GnuPG 1.4.17 that was just released. There is currently no released version containing this fix for the 2.0 branch but it is fixed upstream in http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=014b2103fcb12f261135e3954f26e9e07b39e342

Quoting the 1.4 branch commit from http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a

gpg: Avoid infinite loop in uncompressing garbled packets.

* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--

A packet like (a3 01 5b ff) leads to an infinite loop.  Using
--max-output won't help if it is a partial packet.  This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.

Thanks to Olivier Levillain and Florian Maury for their detailed
report.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2014-06-23 17:51:25 UTC
Added gnupg-1.4.17 into tree.

I suggest to wait few days for 2.x version.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-24 14:22:11 UTC
We are pleased to announce the availability of a new stable GnuPG-2
release: Version 2.0.24.
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2014-06-24 14:40:46 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> We are pleased to announce the availability of a new stable GnuPG-2
> release: Version 2.0.24.

thanks!

in tree.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-24 16:07:54 UTC
Thanks alon,

It builds cleanly and functionally for me on amd64, however giving the latest version it a little time to reach the GnuPG FTP mirrors specified in SRC_URI before starting a STABLEREQ. It is currently only available on the main FTP server.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-24 20:10:28 UTC
Arches, please stabilize: 
=app-crypt/gnupg-1.4.17
=app-crypt/gnupg-2.0.24

Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-25 12:59:44 UTC
Please abort stabilization, an issue has been raised in the gnupg-users list and new versions will be released
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-06-27 21:55:57 UTC
CVE-2014-4617 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4617):
  The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and
  2.x before 2.0.24 allows context-dependent attackers to cause a denial of
  service (infinite loop) via malformed compressed packets, as demonstrated by
  an a3 01 5b ff byte sequence.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-30 16:47:33 UTC
"Wer(sic) are pleased to announce the availability of a new stable GnuPG-2
release: Version 2.0.25.  This release fixes a regression introduced
with the 2.0.24 release."
Comment 9 Alon Bar-Lev (RETIRED) gentoo-dev 2014-06-30 18:26:35 UTC
Added. What about gnupg-1.x?
Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-30 18:28:52 UTC
(In reply to Alon Bar-Lev from comment #9)
> Added. What about gnupg-1.x?

1.4.18 is already tagged in the git repo and should be released soon.
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-30 18:51:53 UTC
(In reply to Kristian Fiskerstrand from comment #10)
> (In reply to Alon Bar-Lev from comment #9)
> > Added. What about gnupg-1.x?
> 
> 1.4.18 is already tagged in the git repo and should be released soon.

We are pleased to announce the availability of a new stable GnuPG-1
release: Version 1.4.18.  This release fixes a regression introduced
with the 1.4.17 release.
Comment 12 Alon Bar-Lev (RETIRED) gentoo-dev 2014-06-30 18:57:47 UTC
Added, thanks!
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-30 20:26:44 UTC
Arches, please stabilize: 
=app-crypt/gnupg-1.4.18
=app-crypt/gnupg-2.0.25

Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-30 22:02:08 UTC
The previous summary was correct for the security fix. However it introduced a usability issue hence stopping stabilization of those versions.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2014-07-01 01:19:33 UTC
Stable for HPPA.
Comment 16 Richard Freeman gentoo-dev 2014-07-01 13:43:23 UTC
I stabilized =app-crypt/gnupg-2.0.25 on amd64.

The 1.4 branch still remains to be done.
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-01 18:21:21 UTC
amd64 done
Comment 18 Agostino Sarubbo gentoo-dev 2014-07-05 11:24:29 UTC
x86 stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-07-05 11:26:29 UTC
alpha stable
Comment 20 Agostino Sarubbo gentoo-dev 2014-07-05 11:27:12 UTC
ppc stable
Comment 21 Agostino Sarubbo gentoo-dev 2014-07-05 11:27:37 UTC
ppc64 stable
Comment 22 Agostino Sarubbo gentoo-dev 2014-07-05 11:28:01 UTC
ia64 stable
Comment 23 Agostino Sarubbo gentoo-dev 2014-07-05 11:28:55 UTC
arm stable
Comment 24 Agostino Sarubbo gentoo-dev 2014-07-05 11:29:17 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 25 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-07-05 11:32:01 UTC
Thanks. New GLSA request filed
Comment 26 Tom Gall (RETIRED) gentoo-dev 2014-07-12 19:14:34 UTC
arm64 stable for gnupg-2 only.
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 17:44:05 UTC
This issue was resolved and addressed in
 GLSA 201407-04 at http://security.gentoo.org/glsa/glsa-201407-04.xml
by GLSA coordinator Mikle Kolyada (Zlogene).