Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 534002

Summary: dev-libs/libgcrypt: two vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: alonbl, crypto+disabled, multilib+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/12/29/9
Whiteboard: A3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-12-30 09:56:40 UTC 
From ${URL} :

I found multiple vulnerabilities in libgcrypt. Could I get some CVE-ID's
for them?

--
Double free of 'hd':
http://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003300.html

off-by-one out-of-bounds read:
http://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2014-12-30 10:06:49 UTC 
Are you sure you want to apply these before it reached to upstream master[1]?

[1] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=shortlog;h=refs/heads/master
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-30 11:09:09 UTC 
(In reply to Alon Bar-Lev from comment #1)
> Are you sure you want to apply these before it reached to upstream master[1]?
> 
> [1]
> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=shortlog;h=refs/
> heads/master

No. Infact the whiteboard tag is upstream which means there is no fix from upstream.

reference: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap4
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 17:12:33 UTC 
@ Security: I am suggesting to close this bug as invalid:

CVE requests were rejected, see http://www.openwall.com/lists/oss-security/2014/12/29/10

I only could find https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=1c6d2698a84e4bf82735287c1d64954bfc1a1982 which *could* be what Joshua Rogers tried to report however there's no link between the commit and patch and notice the time between the report and the commit (and don't forget Florian Weimer comment in the CVE rejection on Joshua's patch).

The second one was also not accepted, see https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=mpi/mpiutil.c#l738 which Joshua Rogers wanted to change according to https://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-12-01 22:31:20 UTC 
(In reply to Thomas Deutschmann from comment #3)
> @ Security: I am suggesting to close this bug as invalid:
> 
> CVE requests were rejected, see
> http://www.openwall.com/lists/oss-security/2014/12/29/10
> 
> I only could find
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;
> h=1c6d2698a84e4bf82735287c1d64954bfc1a1982 which *could* be what Joshua
> Rogers tried to report however there's no link between the commit and patch
> and notice the time between the report and the commit (and don't forget
> Florian Weimer comment in the CVE rejection on Joshua's patch).
> 
> The second one was also not accepted, see
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=mpi/
> mpiutil.c#l738 which Joshua Rogers wanted to change according to
> https://lists.gnupg.org/pipermail/gcrypt-devel/2014-December/003299.html

Agreed.  Thank you for the research.