Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 142248 - app-crypt/gnupg buffer overflow
Summary: app-crypt/gnupg buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/bugzilla/...
Whiteboard: B1 [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-31 00:58 UTC by Sune Kloppenborg Jeppesen
Modified: 2019-12-26 10:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-07-31 00:58:58 UTC
Text from Security Focus:

http://www.securityfocus.com/bid/19110/

GnuPG is prone to a remote buffer-overflow vulnerability because it fails to
properly bounds-check user-supplied input before copying it to an insufficiently
sized memory buffer.

This issue may allow remote attackers to execute arbitrary machine code in the
context of the affected application, but this has not been confirmed.

GnuPG version 1.4.4 is vulnerable to this issue; previous versions may also be
affected.

The following Perl command demonstrates this issue by crashing the affected
application:

perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| /var/gnupg/bin/gpg --no-armor

http://lists.immunitysec.com/pipermail/dailydave/2006-July/003354.html
Comment 1 Wolf Giesen (RETIRED) gentoo-dev 2006-07-31 03:03:16 UTC
Actually, 1.9.20-r3 is stable on almost all arches; I also remember we dropped the last "--no-armor" vulnerability (#137622), but impact is high this time and might thus call for masking.
Comment 2 Daniel Black (RETIRED) gentoo-dev 2006-07-31 17:48:29 UTC
Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until full release before stabilising. It shouldn't be that long and big ugly "THIS IS A DEVELOPMENT VERSION!" warnings will put people off.

$ gpg --version
gpg (GnuPG) 1.4.5rc1-ecc0.1.6

$ perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'|  gpg  --no-armor
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: using character set `iso-8859-1'
gpg: packet(61) too large
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-01 10:51:45 UTC
(In reply to comment #2)
> Added 1.4.5rc1. This seems to fix the vulnerability HOWEVER please wait until
> full release before stabilising. It shouldn't be that long and big ugly "THIS
> IS A DEVELOPMENT VERSION!" warnings will put people off.

Indeed, 1.4.5 has been released. Please do your magic again, thanks
Comment 4 Daniel Black (RETIRED) gentoo-dev 2006-08-01 14:13:25 UTC
1.4.5 magic done.
Comment 5 Andrej Kacian (RETIRED) gentoo-dev 2006-08-01 15:43:45 UTC
x86 stable, the mentioned perl command doesn't crash it, and the common functionality checks out OK.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2006-08-01 23:14:49 UTC
ppc64 stable
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-08-02 06:24:29 UTC
This could be considered B1 since feeding emails to gpg is somewhat automated.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-02 06:52:18 UTC
(In reply to comment #7)
> This could be considered B1 since feeding emails to gpg is somewhat automated.
> 

i agree
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-08-02 07:05:10 UTC
sparc stable.
Comment 10 Thomas Cort (RETIRED) gentoo-dev 2006-08-02 07:33:33 UTC
alpha stable.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-02 08:45:27 UTC
Rerating according to comment #7 and #8.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-08-02 09:02:13 UTC
ppc stable
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2006-08-04 05:45:07 UTC
Stable on hppa. Sorry for the delay.
Comment 14 Mike Doty (RETIRED) gentoo-dev 2006-08-04 06:19:53 UTC
amd64 stable
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-05 04:51:03 UTC
GLSA 200608-08

arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA.
Comment 16 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:39:28 UTC
Does not affect current (2008.0) release. Removing release.