Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214990 - app-crypt/gnupg =1.4.8, =2.0.8 Memory corruption when importing keys (CVE-2008-1530)
Summary: app-crypt/gnupg =1.4.8, =2.0.8 Memory corruption when importing keys (CVE-200...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
: 215782 (view as bug list)
Depends on:
Reported: 2008-03-26 23:43 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-01 22:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 23:43:32 UTC
From announcement:
  We are pleased to announce the availability of a new stable GnuPG-1
  release: Version 1.4.9.  This is a maintenance release to fix a possible
  vulnerability introduced with 1.4.8.

This bug is also present in 2.0.8 and was fixed with 2.0.9. Both 1.4.8 and 2.0.8 are ~arch only, so please do not move them to stable. A bump for ~arch would be required.

Upstream bug:

g10 ChangeLog:
2008-03-25  David Shaw  <>  (wk)

        * import.c (collapse_uids): Fix bug 894: possible memory
        corruption around deduplication of user IDs.

Andrea Barisani

Patch in trunk:
svn diff -r4712:4713 svn://
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 00:41:12 UTC
oCERT Advisory:
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2008-03-27 10:52:09 UTC
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 20:26:29 UTC
Thanks, no GLSA for ~arch packages.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 22:31:06 UTC
*** Bug 215782 has been marked as a duplicate of this bug. ***