| Summary: | dev-python/python-debian: GPG keys verification bypass (similar to CVE-2015-0840) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | floppym, python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1210757 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
+*python-debian-0.1.26 (13 Apr 2015) + + 13 Apr 2015; Justin Lecher <jlec@gentoo.org> + +files/python-debian-0.1.26-CVE-2015-0840.patch, + +files/python-debian-0.1.26-fix-tests.patch, +python-debian-0.1.26.ebuild, + -python-debian-0.1.21_p2.ebuild, metadata.xml: + Version Bump; drop old; import fix for CVE-2015-0840, bug #546416 + Bumped and cleaned. Maintainer(s), Thank you for you for your work. Closing noglsa. |
From ${URL} : From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782276: """ While dealing with the dpkg security issue (fixed in 1.16.16, and the upcoming 1.17.25), I checked other implementations and found that it also affects the python-debian modules. The parser is too lax and accepts any whitespace while GnuPG only accepts [\r\t ] at the end of an Armor Header line, which means that a message could be doctored to include lines that will be ignored by GnuPG but parsed by the python-debian modules. """ This issue is similar to bug 1210748, the patch is attached to the Debian bug. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.