Summary: | <dev-libs/libksba-1.3.2: Buffer overflow (CVE-2014-9087) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | crypto+disabled, k_f |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-11-25 13:34:04 UTC
+*libksba-1.3.2 (25 Nov 2014) + + 25 Nov 2014; Kristian Fiskerstrand <k_f@gentoo.org> +libksba-1.3.2.ebuild, + -libksba-1.3.1.ebuild: + Version bump. Security bug #530634. Cleanup old non-stable. new version uploaded and the changes are trivial enough that upgrading should be trivial, but will wait a little bit before calling for stabilization. Marking B3 due to the specific nature of the attack despite this package being pulled in by default version of GnuPG. CVE Request: http://seclists.org/oss-sec/2014/q4/788 Arches, please stabilize =dev-libs/libksba-1.3.2 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable ppc64 stable sparc stable alpha stable arm stable ppc stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. Arches, thank you for your work. GLSA Vote: No 06 Dec 2014; Kristian Fiskerstrand <k_f@gentoo.org> -libksba-1.3.0.ebuild: Cleanup old for security bug #530634 CVE-2014-9087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9087): Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow. GLSA Vote: No No GLSA - Closing Bug as Resolved |