Text from Security Focus:
GnuPG is prone to a remote buffer-overflow vulnerability because it fails to
properly bounds-check user-supplied input before copying it to an insufficiently
sized memory buffer.
This issue may allow remote attackers to execute arbitrary machine code in the
context of the affected application, but this has not been confirmed.
GnuPG version 1.4.4 is vulnerable to this issue; previous versions may also be
The following Perl command demonstrates this issue by crashing the affected
perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| /var/gnupg/bin/gpg --no-armor
Actually, 1.9.20-r3 is stable on almost all arches; I also remember we dropped the last "--no-armor" vulnerability (#137622), but impact is high this time and might thus call for masking.
Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until full release before stabilising. It shouldn't be that long and big ugly "THIS IS A DEVELOPMENT VERSION!" warnings will put people off.
$ gpg --version
gpg (GnuPG) 1.4.5rc1-ecc0.1.6
$ perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: using character set `iso-8859-1'
gpg: packet(61) too large
(In reply to comment #2)
> Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until
> full release before stabilising. It shouldn't be that long and big ugly "THIS
> IS A DEVELOPMENT VERSION!" warnings will put people off.
Indeed, 1.4.5 has been released. Please do your magic again, thanks
1.4.5 magic done.
x86 stable, the mentioned perl command doesn't crash it, and the common functionality checks out OK.
This could be considered B1 since feeding emails to gpg is somewhat automated.
(In reply to comment #7)
> This could be considered B1 since feeding emails to gpg is somewhat automated.
Rerating according to comment #7 and #8.
Stable on hppa. Sorry for the delay.
arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA.
Does not affect current (2008.0) release. Removing release.