GnuPG crash.
Crypto please provide fixed ebuilds, thanks
This email alert must have slipped by me the first time, but regardless, 1.4.4 is in the tree since yesterday anyway.
Arches please test and mark stable.
stable on ppc64
stable on x86
sparc stable.
ppc-macos stable
ppc stable
amd64 done
stable on hppa
from CVE-2006-3082: >parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, allows >remote attackers to cause a denial of service (gpg crash) and possibly overwrite >memory via a message packet with a large length, which could lead to an integer >overflow, as demonstrated using the --no-armor option. While I don't think any of application will use the gpg2 binary yet, a user may. So we need to fix GnuPG 1.9 as well.
1.9.21 is coming soon, just waiting for bug 138441 regarding the freebsd patches to be resolved.
Ok, 1.9.21 is now available in the tree as well. Status update here, and re-adding some arches because of it. The following arches need to stabilize dev-libs/libksba-0.9.15, and app-crypt/gnupg-1.9.21: alpha amd64 ia64 ppc64 sparc x86 FEATURES=test is supported fully on both of them. ppc should probably follow them as well. The previous versions of libksba had a bug that caused failures with gnupg-1.9*. Additionally, the following arches still need to stabilize 1.4.4 still: alpha arm ia64 mips s390 sh
libksba-0.9.15 is fine on amd64, however gnupg-1.9.21 is giving me trouble when emergeing with USE="X ldap smartcard": /bin/sh ../../libtool --mode=link x86_64-pc-linux-gnu-gcc -Wall -fno-strict-aliasing -march=k8 -O2 -pipe -msse3 -L/usr//lib -o opensc-signer.la -rpath /usr/lib64/opensc -module -avoid-version opensc_signer_la-opensc-crypto.lo opensc_signer_la-opensc-support.lo opensc_signer_la-signer.lo opensc_signer_la-stubs.lo opensc_signer_la-dialog.lo ../../src/libopensc/libopensc.la -lcrypto -lassuan -lpthread x86_64-pc-linux-gnu-gcc -shared .libs/opensc_signer_la-opensc-crypto.o .libs/opensc_signer_la-opensc-support.o .libs/opensc_signer_la-signer.o .libs/opensc_signer_la-stubs.o .libs/opensc_signer_la-dialog.o -Wl,--rpath -Wl,/var/tmp/portage/opensc-0.9.4/work/opensc-0.9.4/src/libopensc/.libs -L/usr//lib ../../src/libopensc/.libs/libopensc.so -lcrypto -lassuan -lpthread -march=k8 -msse3 -Wl,-soname -Wl,opensc-signer.so -o .libs/opensc-signer.so /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.6/../../../../x86_64-pc-linux-gnu/bin/ld: /usr//lib/libassuan.a(assuan-errors.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC /usr//lib/libassuan.a: could not read symbols: Bad value collect2: ld returned 1 exit status make[4]: *** [opensc-signer.la] Error 1 gentoo gnupg # emerge --info Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-suspend2-r7-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.16-suspend2-r7-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.6.15 ccache version 2.3 [enabled] dev-lang/python: 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r2 sys-devel/gcc-config: 1.3.13-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
When emerge'ing =app-crypt/gnupg-1.9.21 with USE="X ldap smartcard" I couldn't reproduce the problem the amd64 user described in Comment #14. All tests passed. dev-libs/libksba-0.9.15, app-crypt/gnupg-1.9.21, and app-crypt/gnupg-1.4.4 stable on alpha.
disagreement with tcort, but different errors than described by other amd64 user: x86_64-pc-linux-gnu-gcc -march=athlon64 -O3 -pipe -fomit-frame-pointer -funroll-loops -Wall -Wl,-z,now -o watchgnupg watchgnupg.o -ldl symcryptrun.o: In function `confucius_process': symcryptrun.c:(.text+0x92d): undefined reference to `openpty' symcryptrun.c:(.text+0x9a9): undefined reference to `login_tty' collect2: ld returned 1 exit status (gnupg-1.9.21) # emerge --info Portage 2.1.1_pre2-r2 (default-linux/amd64/2005.1, gcc-4.1.1/amd64-vanilla, glibc-2.4-r3, 2.6.15-gentoo-r5 x86_64) ================================================================= System uname: 2.6.15-gentoo-r5 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ Gentoo Base System version 1.12.1 dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.17 sys-devel/gcc-config: 2.0.0_rc1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.16 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer -funroll-loops" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib64/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer -funroll-loops" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="amd64 X alsa apache2 arts avi berkdb bitmap-fonts browserplugin bzip2 cdinstall cli crypt css cups curl curlwrappers dba dlloader dri dvd dvdr dvdread eds emboss encode ffmpeg firefox flash foomaticdb fortran ftp gd gif glibc-omitfp glitz gnome gpm gstreamer gtk gtk2 imagemagick imlib ipv6 isdnlog java jpeg kde kerberos ldap lucene lzw lzw-tiff mad mjpeg mp3 mpeg mysql ncurses nls nptl nptlonly nsplugin nvidia ogg opengl pam pascal pcntl pcre pdflib perl php png posix postgres ppds pppd python qt qt3 qt4 quicktime readline reflection ruby samba sdl session sox spell spl sql ssl subversion tcpd threads tiff truetype truetype-fonts type1-fonts unicode usb userlocales vcd vorbis wmf xml xml2 xmlrpc xmms xorg xpm xv xvid zip zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux userland_GNU video_cards_nvidia video_cards_nv" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Hi, the status of this one hasn't progressed for one week. Shouldn't we consider sending a temporary glsa without amd64?
The response is no! I will take this asap. Next time please be more patience and ask us with a good mood. :)
No problems here it's fine... so amd64 stable Next time hold down your horses. :)
According to Secunia (http://secunia.com/advisories/20783/): Successful exploitation requires that the "--no-armor" option is used. Rerating to B? for now.
Coordinators, please vote on GLSA (Sorry DerCorny, for kind of jumping in, but..): I tend to vote no. No real DoS, as it's a client-side vulnerability, and the damage is minimal. Additionally, we are in stable already.
Okay, lets have a vote I would vote NO, making it crash is no different to feeding it a chunk of /dev/urandom, both times you get an error return code. Also, seriously doubt anything uses --no-armor.
While disagreeing with #21 (it may well be used in server apps that need to exchange data) I tend to vote "no", too.
Thx everyone. Closing with NO GLSA. Feel free to reopen if you disagree.