From $URL :
On 12/28/2012 06:06 PM, KB Sriram wrote:
> Versions of GnuPG <= 1.4.12 are vulnerable to memory access
> violations and public keyring database corruption when importing
> public keys that have been manipulated.
> An OpenPGP key can be fuzzed in such a way that gpg segfaults (or
> has other memory access violations) when importing the key.
> The key may also be fuzzed such that gpg reports no errors when
> examining the key (eg: "gpg the_bad_key.pkr") but importing it
> causes gpg to corrupt its public keyring database.
> The database corruption issue was first reported on Dec 6th,
> through the gpg bug tracking system:
> The subsequent memory access violation was discovered and reported
> in a private email with the maintainer on Dec 20th.
> A zip file with keys that causes segfaults and other errors is
> available at
> http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes
> a log file that demonstrates the issues [on MacOS X and gpg
> A new version of gpg -- 1.4.13 -- that addressed both these issues,
> was independently released by the maintainer on Dec 20th.
> The simplest solution is to upgrade all gpg installs to 1.4.13.
> [Workarounds: A corrupted database may be recovered by manually
> copying back the pubring.gpg~ backup file. Certain errors may also
> be prevented by never directly importing a key, but first just
> "looking" at the key (eg: "gpg bad_key.pkr"). However, this is not
> guaranteed to work in all cases; though upgrading to 1.4.13 does
> work for the issues reported.]
> The problem was discovered during a byte-fuzzing test of OpenPGP
> certificates for an unrelated application. Each byte in turn was
> replaced by a random byte, and the modified certificate fed to the
> application to check that it handled errors correctly. Gpg was used
> as a control, but it itself turned out to have errors related to
> packet parsing. The errors are generally triggered when fuzzing the
> length field of OpenPGP packets, which cascades into subsequent
> errors in certain situations.
if you want to maintain 1.4 series, go ahead with the bump, otherwise clean the affected ebuild is enough.
(In reply to comment #2)
Arches, please test and mark stable =app-crypt/gnupg-1.4.13
Stable for HPPA.
New GLSA request filed.
The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and
2.0.x through 2.0.19, when importing a key, allows remote attackers to
corrupt the public keyring database or cause a denial of service
(application crash) via a crafted length field of an OpenPGP packet.
This issue was resolved and addressed in
GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml
by GLSA coordinator Chris Reffett (creffett).